Computer forensics investigators have expanded the scope of the data breach at credit card processor Global Payments Inc., indicating the attackers could have gained access to files that contained the personal information of some merchants that use the company’s services.
The company will notify potentially affected individuals in the coming days.
Global Payments Inc.
Investigators discovered an intruder accessed servers containing the personal information of merchant applications. The Atlanta-based credit card processor said the data was a “subset” of U.S. merchants that applied for the company’s services. The company announced the new details in a press release on Tuesday. It did not indicate what personal information was exposed.
“It is unclear whether the intruders looked at or took any personal information from the company's systems; however, the company will notify potentially affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost,” Global Payments said in a statement.
Global Payments provides credit card processing services to a variety of different industries, including online gaming, restaurants, retailers, hotels and other businesses. The company claims to service more than 1 million merchant locations. It was founded with a focus on North America but expanded into other markets including Asia, Central and Eastern Europe and the United Kingdom.
The Global Payments breach was announced in March, and the company has maintained that the scope was less than 1.5 million stolen credit cards. The company said in May that the breach included Track 2 data: numerical card information.
The company said investigators believe it has contained the extent of the breach. The scope of the credit card breach will not exceed 1.5 million credit cards, Global Payments said. The credit card brands received details about card numbers that exceeded 1.5 million to provide additional monitoring for fraud.
Additional information about the financial impact and its ongoing PCI compliance validation is expected by July 26 as part of company’s year-end earnings call. Visa dropped Global Payments from its PCI compliance list in April. The company is continuing to process transactions.
“We are committed to fully resolve any issues arising from this matter and we, of course, continue to provide uninterrupted transaction processing for our customers worldwide,” said Paul R. Garcia, chairman and CEO of Atlanta, Ga.-based Global Payments Inc., in a statement.
Encryption, multifactor authentication
Experts said Global Payments could have avoided the further embarrassment of expanding the scope of the breach if it was encrypting its merchant data. Organizations that collect personal information should be deploying encryption at rest and in motion, said Pete Lindstrom, research director at Malvern, Pa.-based Spire Security LLC. Lindstrom said many organizations fall short in protecting data because they have accumulated so many systems and so much data over time.
“Using multifactor authentication and encryption would probably solve two-thirds of the breach problems today,” Lindstrom said. “The issue is it’s just not that easy to implement.”