VISA, MasterCard Compromise Much Smaller Than Initially Believed

Fewer than 1.5 million accounts affected instead of 10 million originally speculated

3 min read
VISA, MasterCard Compromise Much Smaller Than Initially Believed

Early on Friday morning, former long-time Washington Post reporter Brian Krebs (who wrote a high-profile blog on IT security matters there) broke a story at his Krebs on Security website that VISA and MasterCard were warning banks in an unpublicized note that there had been a breach at one of their credit card processors sometime between 21 January and 25 February. The notice, Krebs said, indicated that the information taken would allow counterfeit credit cards to be produced.

In addition, Krebs wrote that, "the transactions that most of the cards they analyzed seem to have in common are that they were used in parking garages in and around the New York City area."

Krebs' story started a flurry of speculation in the press about which credit card processor suffered the breach, exactly how large it was, and how it happened. Krebs' post stated that, "Sources in the financial sector are calling the breach 'massive,' and say it may involve more than 10 million compromised card numbers." That 10 million number was soon bandied about in subsequent news stories.

Shortly after noon on Friday, the Wall Street Journal  identified the processor as Global Payments Inc., located in Atlanta, Georgia. The news sent the company's stock into freefall; before trading in the stock was halted, its value had dropped 13 percent. The company soon put out a press release confirming that a breach had indeed occurred, and that it had been detected in early March, which was weeks after it could have occurred. That time lag didn't stop Global Payments from patting itself on the back, however. Chairman and CEO Paul R. Garcia stated in the press release that:

"It is reassuring that our security processes detected an intrusion."

Over the weekend, VISA confirmed to the WSJ that it had suspended Global Payments as one of its credit card processors for the moment, but wouldn't say exactly why; Garcia's statement would have been  reason enough, I imagine. MasterCard said it was awaiting information from the investigation, which now includes the U.S. Secret Service.

Late last night, Global Payments put out word that the breach was smaller than had been previously speculated: only 1.5 million affected accounts, not 10 million.

"The company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported. The investigation to date has revealed that Track 2 card data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals. Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained."

According to an AP story, the company reemphasized in a news conference this morning that the breach was "absolutely contained" but that the investigation was still on-going. A ZDNet story, however, reports that the company said that the breach had been contained "to the best of our ability." That seems like a material difference to me.

The ZDNet story goes on to note Global Payments' statement that it doesn't believe anyone has made fraudulent use of the stolen information. On the other hand, the AP story says that the company "will set up a website later Monday to help consumers who might be affected by the breach."

The ZDNet's sources apparently contradict what Brian Krebs indicated he was told by reliable sources. It could mean that there is another, smaller breach involving parking garages in the New York City area that had been mistaken for the Global Payment breach.

ZDNet also reports that Global Payments says the breach affected a "handful of servers" but wouldn't elaborate on the details of the break-in much more than that.

I think it is going to be a while before all the facts are known—that is, if they ever are.

And in a purely coincidental incident, a VISA system update prevented VISA credit card transactions across the United States for about 45 minutes yesterday afternoon.

The Conversation (0)

Why the Internet Needs the InterPlanetary File System

Peer-to-peer file sharing would make the Internet far more efficient

12 min read
Horizontal
An illustration of a series
Carl De Torres
LightBlue

When the COVID-19 pandemic erupted in early 2020, the world made an unprecedented shift to remote work. As a precaution, some Internet providers scaled back service levels temporarily, although that probably wasn’t necessary for countries in Asia, Europe, and North America, which were generally able to cope with the surge in demand caused by people teleworking (and binge-watching Netflix). That’s because most of their networks were overprovisioned, with more capacity than they usually need. But in countries without the same level of investment in network infrastructure, the picture was less rosy: Internet service providers (ISPs) in South Africa and Venezuela, for instance, reported significant strain.

But is overprovisioning the only way to ensure resilience? We don’t think so. To understand the alternative approach we’re championing, though, you first need to recall how the Internet works.

Keep Reading ↓Show less