Early on Friday morning, former long-time Washington Post reporter Brian Krebs (who wrote a high-profile blog on IT security matters there) broke a story at his Krebs on Security website that VISA and MasterCard were warning banks in an unpublicized note that there had been a breach at one of their credit card processors sometime between 21 January and 25 February. The notice, Krebs said, indicated that the information taken would allow counterfeit credit cards to be produced.
In addition, Krebs wrote that, "the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area."
Krebs' story started a flurry of speculation in the press about which credit card processor suffered the breach, exactly how large it was, and how it happened. Krebs' post stated that, "Sources in the financial sector are calling the breach 'massive,' and say it may involve more than 10 million compromised card numbers." That 10 million number was soon bandied about in subsequent news stories.
Shortly after noon on Friday, the Wall Street Journal identified the processor as Global Payments Inc., located in Atlanta, Georgia. The news sent the company's stock into freefall; before trading in the stock was halted, its value had dropped 13 percent. The company soon put out a press release confirming that a breach had indeed occurred, and that it had been detected in early March, which was weeks after it could have occurred. That time lag didn't stop Global Payments from patting itself on the back, however. Chairman and CEO Paul R. Garcia stated in the press release that:
"It is reassuring that our security processes detected an intrusion."
Over the weekend, VISA confirmed to the WSJ that it had suspended Global Payments as one of its credit card processors for the moment, but wouldn't say exactly why; Garcia's statement would have been reason enough, I imagine. MasterCard said it was awaiting information from the investigation, which now includes the U.S. Secret Service.
Late last night, Global Payments put out word that the breach was smaller than had been previously speculated: only 1.5 million affected accounts, not 10 million.
"The company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported. The investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals. Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained."
According to an AP story, the company reemphasized in a news conference this morning that the breach was "absolutely contained" but that the investigation was still on-going. A ZDNet story, however, reports that the company said that the breach had been contained "to the best of our ability." That seems like a material difference to me.
The ZDNet story goes on to note Global Payments' statement that it doesn't believe anyone has made fraudulent use of the stolen information. On the other hand, the AP story says that the company "will set up a website later Monday to help consumers who might be affected by the breach."
The ZDNet's sources apparently contradict what Brian Krebs indicated he was told by reliable sources. It could mean that there is another, smaller breach involving parking garages in the New York City area that had been mistaken for the Global Payment breach.
ZDNet also reports that Global Payments says the breach affected a "handful of servers" but wouldn't elaborate on the details of the break-in much more than that.
I think it is going to be a while before all the facts are known—that is, if they ever are.
And in a purely coincidental incident, a VISA system update prevented VISA credit card transactions across the United States for about 45 minutes yesterday afternoon.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.