Amid breach fallout, Global Payments struggles with public message

The breached credit card processor assured investors that the damage has been contained and its security procedures worked. But for nervous card holders with additional questions, a basic website statement will have to do.

By

April 03, 2012CSO

Global Payments Inc. of Atlanta, the credit card processing firm that was breached sometime earlier this year, couldn't keep hackers out of its system, but the firm's leaders seem determined to keep the press outside their public relations wall.

Since the breach became public March 30, the company has issued a general statement and set up a web page for customers and merchants.

But in a conference call with investors Monday morning, CEO Paul R. Garcia refused to take questions from reporters. A call from CSO seeking comment was not returned.

Garcia instead spent most of the conference call in self-congratulatory mode, saying that the company's own security measures detected the breach, that it notified law enforcement and card associations "within hours," and that so far there had been no fraudulent activity on any of the compromised cards.

This, says Bruce Schneier, chief security technology officer at BT, should be no surprise. "They are going to do what they think is best for the company," he says, acknowledging that trying to block media coverage might not be the best strategy.

He said the Tylenol case from 30 years ago, in which manufacturer Johnson & Johnson was unusually transparent with the press and public after somebody laced capsules with cyanide, "is a great example because it is so rare --(a case of) full disclosure and getting ahead of the story and irrational panic. But in the heat of the moment, that is not always what people do."

Independent security consultant James Arlen says his best guess is that GP wants to have, "a well-defined story to tell prior to letting anyone in. Essentially, it's cleaning up the crime scene to insure that only their version of what happened will come to light."

Security blogger Brian Krebs, who broke the story of the breach last Friday, reported that as many as 10 million cards may have been compromised, that sources had told him there had been fraudulent activity on at least 800 cards and that both Track 1 and Track 2 data had been taken.

But Garcia said during the conference call that the breach had occurred early in March, that 1.5 million cards had been compromised, and that only Track 2 data, which includes the card account number and expiration date, along with other data, had been stolen. He said the attackers did not get cardholder names, addresses and Social Security numbers. He characterized much of the reported information about the breach as, "rumor and innuendo, most of it incredibly inaccurate."

RESOURCE CENTER