The Green Sheet Online Edition
July 09, 2012 • Issue 12:07:01
Merchant info possibly compromised in breach
In an update describing the investigation of a data breach discovered by Global Payments Inc. in March 2012, Paul Garcia, the company's Chairman and Chief Executive Officer, said the leading acquirer discovered hackers may have accessed personal information belonging to merchant applicants.
The vulnerable information - which the company has not confirmed was accessed - contains names, addresses, Social Security numbers, drivers license numbers and bank account numbers from merchant applications.
Merchant data in question
Garcia revealed the potential vulnerability in a conference call held June 12, 2012, to provide an update on the company's continuing investigation of the breach. He stressed during the call that "it is unclear whether the intruders looked at or took any personal information from the company's computer," but when forensic analysis revealed the data vulnerability, Global Payments decided to reveal the possible compromise.
Garcia stated he doesn't believe the thieves even looked at the file containing the sensitive information "much less took any data," but the company decided best practices compel it to contact anyone potentially impacted by a breach of the merchant accounts. "We are going to properly address the situation and try to do the right thing for all the companies involved," he said.
"We sincerely apologize for this incident and are working diligently to conclude our investigation," Garcia added. "We are committed to fully resolve any issues arising from this matter." The company is offering at-risk merchants credit monitoring and $1 million in identity protection insurance at no cost.
Breach consequences and mitigation
Global Payments anticipates it will have additional costs to bear as a result of the breach, but those costs "are manageable," Garcia said. He stated the expense will not interfere with the company's growth and that the breach's financial impact will be discussed further in the next update call scheduled for July 26, 2012.
Garcia said Global Payments can confirm that only track 2 card data (consisting of primary account number, expiration date and service code) was stolen from fewer than 1.5 million accounts. The CEO also noted that the breach did not involve its customers at the POS level, so merchants do not have to make any POS changes to process secure transactions through Global Payments.
Garcia reported that the company hired a qualified security assessor to do an independent review of the company's Payment Card Industry (PCI) Data Security Standard (DSS) compliance. When the review is complete, and remediation is concluded, Garcia promised Global Payments will work with the card networks to get the company back on the networks' list of PCI DSS-compliant service providers.
"Our confidence level is growing every day," he said. "We feel like we are getting to the end of this." Global Payments is posting investigation updates at www.2012infosecurityupdate.com.
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.