Global Payments breach raises questions

Company's description of breach leaves some gaps

A conference call held Monday by payment processing vendor Global Payments Inc. to explain a computer intrusion that exposed data on at least 1.5 million credit and debit card holders, left unanswered questions about the breach.

The Atlanta-based company, which processes payment card transactions for thousands of merchants, first reported the compromise Friday when it released a brief statement saying that intruders had gained access to a portion of its processing system. It later updated the statement to say that data belonging to about 1.5 million cardholders, had been "exported" from its systems.

The company's disclosures came after the Wall Street Journal on Friday identified Global Payments as the victim of a major data breach. The breach was originally reported by security blogger Brian Krebs. Krebs' report did not name Global Payments and was based on an internal alert from Visa and MasterCard warning card-issuing banks about a breach at an undisclosed payment processor involving about 10 million debit and credit cards.

In a conference call with investors, Global Payments Chairman and CEO Paul Garcia said the data theft was confined to the company's North American processing system. The breach did not involve any merchant systems or systems belonging to sales partners, he said.

"Neither merchant systems, nor point-of-sale devices were involved in any way," Garcia said, according to a transcript of Monday's call.

"Importantly, investigation to-date has revealed that the theft involved Track 2 card data only. We do not believe, Track 1 card data was taken or that cardholder names, addresses, Social Security numbers for consumer banking information was obtained by the criminals," Garcia said repeating the company's earlier statement on the breach. Based on an investigation of the intrusion, "we believe that this incident is contained," he said.

The company's description of the breach leaves some questions unanswered, said Avivah Litan, an analyst with Gartner Inc. "It seems obvious that they were breached ... but they didn't come out and say it straight," Litan said. "All they said is what was not involved. That's the mystery here."

There also appears to be a discrepancy between Global Payments' description of the data that was compromised and the description by MasterCard and Visa. According to the alert sent out by the credit card companies to card-issuers, the compromised data included both Track 1 data, which includes personally identifiable information such as the cardholder's name and account number, and Track 2 data, which involves information such as the card's expiration date and the account number. However, Global Payments has insisted that only Track 2 data was compromised in the breach.

"This discrepancy just raises more questions. We still don't have all the information here," Litan said.

A Visa spokesman said the company does not comment on private internal communications regarding an ongoing investigation.

Meanwhile, in a blog post Monday, Krebs added that he has information suggesting that Global Payments may have been breached for much longer than the company has let on. According to Krebs, documents obtained from a hacker suggest that criminals may have had control of the company's network for the past 13 months before they were discovered earlier this year. Krebs claimed that document, which he is attempting to authenticate with Global Payments, appears to contain sensitive information about the payment processor's internal databases.

Amy Corn, a spokeswoman with Global Payments, would neither confirm no deny whether Track 1 data had been compromised in the breach. "What I can tell you is that the investigation to date has shown that cardholder names, addresses and Social Security numbers," were not exposed, she said, reiterating earlier comments by the company.

According to Litan, some in the payment industry believe that the breach will "mushroom." Global Payments has said that no merchant system was involved, but Litan said her sources have indicated that the breach may involve a taxi and parking garage company in the New York City area, although that is still unconfirmed. She noted that Global Payments is not obligated to report the breach publicly if cardholder names and other personally identifying information was not exposed.

In a blog post on the Gartner site, Litan said she has information suggesting that the crime was perpetrated by a Central American gang "that broke into the company's system by answering the application's knowledge based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently," Litan said.

Corn said she couldn't confirm or deny Litan's claim that a NYC cab company might have been involved in the breach. She also offered no comment on Krebs' latest post suggesting the company's networks may have been under criminal control for more than a year.

Adam Bosnian, executive vice president of security vendor Cyber-Ark, said that if Litan's information about how the breach occurred is correct, it would fit into a developing pattern.

"Targeting privileged accounts as a gateway to an organization's high value targets is becoming a startling trend," Bosnian said. " If you examine the rash of recent breaches, they follow a distinct pattern. Hackers gain access to an administrative account through often-simple means, like an easy-to-crack password, spear-phishing or exploitable zero-day vulnerability," and then escalate their privileges on the compromised computer.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is .

See more by Jaikumar Vijayan on .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline