MasterCard and Visa on Friday were trying to determine the extent of a possible security breach at an Atlanta-based payment processing company, which experts say could compromise the credit-card and debit-card information of millions of Americans.
The two companies say they have notified law enforcement officials and alerted banks about the potential data theft, even as they seek to assure customers that their own systems had not been breached.
Both companies also emphasize that customers are not held responsible for any fraudulent purchases made on their cards.
George Ogilvie, a spokesman for the Secret Service, confirmed that the agency is investigating the matter but declined to elaborate, saying the inquiry is ongoing.
The security lapse involved Global Payments, an Atlanta-based firm that describes itself as “one of the world’s largest electronic transaction processing companies.”
In a statement Sunday evening, a Global Payments spokeswoman said the company “believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported.” She said the company continues to work with regulators, law enforcement officials and others in the industry to minimize any impact to cardholders, and that it has hired multiple information security and forensics firms to investigate the breach.
“We are making rapid progress toward bringing this issue to a close. Our nearly 4,000 employees around the world are focused on providing exceptional service. We are open for business and continue to process transactions for all of the card brands,” Global Payments chief executive Paul R. Garcia said in a statement
Global Payments said last week it had determined in early March that “card data may have been accessed.” It said that company officials immediately contacted federal law enforcement, brought in information technology forensics experts to investigate and notified “appropriate industry parties to allow them to minimize potential cardholder impact.”
Both MasterCard and Visa on Friday were quick to assure customers that their own systems remained safe and that they had alerted banks to any potential problems.
MasterCard said in a statement that its “own systems have not been compromised.” Visa officials also insisted that there had been “no breach of Visa systems” and that it had contacted card issuers with details about accounts that might have been compromised “so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.”
In addition to notifying law enforcement and banks, MasterCard said Friday that an independent data-security organization was conducting an ongoing forensic review of the matter.
Brian Krebs, a computer security expert who first reported the theft on his blog KrebsonSecurity.com, wrote that sources in the financial sector had described the data theft to him as “massive” and believed it could involve more than 10 million compromised card numbers.
Avivah Litan, a Maryland-based fraud analyst at the information-technology-research firm Gartner, also said Friday that she had spoken with contacts in the card business “who are seeing signs of this breach mushroom” and also believe the number of compromised numbers would reach into the millions. She said it appears that the breach at least partially involved a parking and garage company in the New York City area.
“The industry has spent billions of dollars on trying to secure the payment systems. . . . They have been at this for years, trying to get merchants and payment processors and taxicabs and everything to secure their payment systems, and it’s just not working,” Litan said in an interview.
She said the United States lags behind many countries that have migrated to microchip technology in credit cards, which have cut back significantly on fraud. “We’re the only developed country that’s not using it,” Litan said.
Neither MasterCard nor Visa actually issues cards to consumers or lends money. Banks such as Wells Fargo and Bank of America typically issue the cards, while MasterCard and Visa oversee the individual transactions and charge merchants fees each time a card is swiped.
The latest incident is part of an ongoing string of electronic attacks against corporations, schools and government agencies that have repeatedly put the confidential information of Americans at risk. Last June, for instance, hackers breached a network at Citigroup and gained access to credit card data for more than 360,000 North American customers.
According to a report by the research firm Javelin, identity fraud increased during 2011 by 13 percent, and more than 11.6 million U.S. adults became victims.
One key factor behind the increase in fraud, the firm found, was the 67 percent increase in the number of Americans affected by data breaches. Research showed that victims of data breaches are 9.5 times more likely to fall prey to identify fraud than customers who had not received notice of a potential data breach.