Sophos Cloud Optix
I wrote about a major credit card theft from payment processor Global Payments about six weeks ago and details are still emerging, if not clarifying what actually happened.
As I initially wrote it appeared that up to 10 million cards were affected, yet Global Payments made public statements denying that and insisting it was closer to 1.5 million. Now Brian Krebs of KrebsOnSecurity.com is reporting that it may be closer to 7 million cards.
Global Payments is staying quiet about the matter and hasn’t updated its statement regarding the breach since May 1, 2012, leaving consumers, banks and industry analysts grasping for the truth in the dark.
The latest information comes from Union Savings Bank (USB) and Vons supermarkets, a division of Safeway. Vons has been experiencing an unusual amount of prepaid credit card fraud and had detected patterns to the fraud that involved cards issued by USB. USB had also detected fraud on customer accounts recurring at a local cafeteria around the same time.
USB is reporting they have absorbed approximately $75,000 in losses related to card fraud that appears related to the Global Payments breach.
Global Payments refuted initial accusations that both track 1 and track 2 data had been stolen, insisting that only track 2 data was involved. Track 1 data includes your account number, expiration, name and CVV data, whereas track 2 primarily stores the account number and expiration date.
This case goes to show that it doesn’t always matter much. The criminals attacking Vons are buying low value prepaid cards and recoding the magnetic stripes to mirror real victims’ account information. They are then using these re-coded cards to purchase higher value prepaid cards which they use to buy items with high resale values.
More questions are being asked about the timeframe that customer data may have been exposed. The company initially said they had identified and self-reported the incident on March 8th and the attack had started in January and concluded in February. According to Krebs, card providers now believe the breach extends all the way back to June of 2011.
The lack of openness on behalf of Global Payments is raising more questions than answers. Let’s hope they share more information soon to prevent further fraud and perhaps inform other payment processors of the details so we can prevent a repeat episode in the future.
Stack of credit cards photo courtesy of Shutterstock.
My employer uses Global Payments as a processor for online payment processing. We have several merchant IDs. I was aware of this some time ago, but my fear has increased exponentially. This DEEPLY concerns me. If our "customers" are compromised by this, it potentially affects my company's integrity, livelihood and my employment. Many more heads could roll in the wake of this than just Global Payments. They need to take this SERIOUSLY. I can't express it any more strongly without losing my composure.
It is interesting that you lifted this story from bankinfosecurity.com but deliberately excluded the parts about where data breach experts strongly disagree that the events you lifted and reported upon are related to the Global Payments breach.
You are certainly entitled to your opinion, but it is simply not true. If I had lifted it from BankInfoSecurity as you suggest, would it not reflect the content found on its site?
The BankInfoSecurity article does provide another perspective and interested readers may wish to read it here: http://www.bankinfosecurity.com/globals-breach-gr…
Just to clarify, the CVV is not in any track on a card. Track 1 is the card number, then name, then expiry, then bank discretionary data, which can’t include CVV. CVV is meant to exist only at the bank and cardholder’s memory. Merchants, gateways and processors can’t even store it post authorization.
You are correct, that is how it is supposed to work. I have heard that some institutions have encoded the CCV/CVV/CID info in the discretionary area on Track 1, which is a real no-no.