Breach hit credit, debit data of 1.5M
Global Payments on Monday disclosed that hackers stole credit and debit card account information for fewer than 1.5 million consumers.
Still, Visa has dropped the Atlanta-based card processor from its registry of providers that meet data security standards.
Global Payments CEO Paul Garcia said in a press conference that the breach involved only a “handful” of the company’s North American servers. “It is reassuring that our security processes detected an intrusion,” he says.
Visa and Mastercard say their own systems weren’t compromised.
Security and law enforcement experts say the Global Payments caper could help explain account discrepancies that many consumers may have noticed over the past several weeks.
Consumers can expect more fraudulent purchases and debit card withdrawals, and other scams spinning out of the notoriety of the breach.
A seven- to eight-week time period is plenty enough for identifier card data to get stolen, brokered and used in the underground market,” says Rob D’ovidio, associate professor of Drexel University’s criminal justice program.
Consumers are limited to a $50 loss for card fraud, and most often lose nothing if the fraud is detected and reported quickly. A new card with a fresh account number is issued, and the losses are borne by the bank or merchant or both.
Meanwhile, the Identity Theft Resource Center has fielded several reports from consumers who have received letters in plain envelopes with no letterhead asking recipients to call a toll-free number to verify account information. The person answering will attempt to dupe the caller into divulging account information, says ITRC adviser Kat Rocha.
“Scammers have heard of this breach and are trying to jump on it,” Rocha says.
There are myriad ways intruders can slip inside company networks, with or without the help of an insider, says Gunter Ollmann, research vice president at network security firm Damballa.
Security analysts expect more corporate intrusions to make headlines: 46 states now have data loss disclosure rules requiring merchants and card issuers to notify consumers if their data get stolen.