Global Payments breach continues to bewilder, accusations abound

Credit Card stack photo courtesy of ShutterstockI wrote about a major credit card theft from payment processor Global Payments about six weeks ago and details are still emerging, if not clarifying what actually happened.

As I initially wrote it appeared that up to 10 million cards were affected, yet Global Payments made public statements denying that and insisting it was closer to 1.5 million. Now Brian Krebs of KrebsOnSecurity.com is reporting that it may be closer to 7 million cards.

Global Payments is staying quiet about the matter and hasn’t updated its statement regarding the breach since May 1, 2012, leaving consumers, banks and industry analysts grasping for the truth in the dark.

The latest information comes from Union Savings Bank (USB) and Vons supermarkets, a division of Safeway. Vons has been experiencing an unusual amount of prepaid credit card fraud and had detected patterns to the fraud that involved cards issued by USB. USB had also detected fraud on customer accounts recurring at a local cafeteria around the same time.

USB is reporting they have absorbed approximately $75,000 in losses related to card fraud that appears related to the Global Payments breach.

Global Payments refuted initial accusations that both track 1 and track 2 data had been stolen, insisting that only track 2 data was involved. Track 1 data includes your account number, expiration, name and CVV data, whereas track 2 primarily stores the account number and expiration date.

This case goes to show that it doesn’t always matter much. The criminals attacking Vons are buying low value prepaid cards and recoding the magnetic stripes to mirror real victims’ account information. They are then using these re-coded cards to purchase higher value prepaid cards which they use to buy items with high resale values.

More questions are being asked about the timeframe that customer data may have been exposed. The company initially said they had identified and self-reported the incident on March 8th and the attack had started in January and concluded in February. According to Krebs, card providers now believe the breach extends all the way back to June of 2011.

The lack of openness on behalf of Global Payments is raising more questions than answers. Let’s hope they share more information soon to prevent further fraud and perhaps inform other payment processors of the details so we can prevent a repeat episode in the future.

Stack of credit cards photo courtesy of Shutterstock.