* Visa, MasterCard, American Express, Discover hit
* Breach stems from third-party Global Payments
* Unclear how many accounts affected
By Lauren Tara LaCapra and Carrick Mollenkamp
March 30 The U.S. Secret Service is
investigating a major cyber intrusion at an Atlanta-based
payment processor that could expose millions of Ma sterCard,
Visa, American Express and Discover cardholders to fraudulent
charges.
Processor Global Payments Inc said on Friday it had
found "unauthorized access" into its system early in March and
notified law enforcement and financial institutions.
Payment network operators MasterCard Inc, Visa Inc
, American Express Co and Discover Financial
Services confirmed they were affected, along with banks
and other franchises that issue cards bearing their logos.
A spokesman for the Secret Service said the agency is
leading investigations into the case but declined to give any
details.
Though Global Payments is far from a household name,
middlemen s uch as the company a re p rized targets f or hackers
because of the vast amount of sensitive financial information
they handle.
The company's stock fell more than 9 percent on the news
before trading was halted. It said it would discuss the breach
in a phone call for investors on Monday.
It was not immediately clear how Global Payments was
penetrated or how many accounts were exposed. Consumers who
detect fraud usually can be reimbursed. That leaves merchants on
the hook financially, though they could file claims against
Global Payments.
Analyst s said MasterCard and Visa are unlikely to face costs
from the breach, but MasterCard shares fell 1.8 percent to close
at $420.54 and Visa shares dropped 0.8 percent to $118.
The security breach is just the latest in a long string of
incidents that have put the personal information of millions of
credit and debit cardholders at risk.
Individual banks and processors said they had not yet
determined the full extent of the breach, but the blog Krebs on
Security, which first reported the breach, said it was "massive"
and could affect more than 10 million cardholders.
Some industry experts suggested the figure might be much
lower, perhaps on the order of tens of thousands. Bernstein
Research analyst Rod Bourgeois noted that Global Payments is a
relatively small player in the transactions services industry,
servicing 800,000 merchants with a 3.5 percent market share. By
contrast, the largest competitor, First Data, services millions
of merchants, with 22.6 percent of the market.
JPMorgan Chase & Co, as well as American Express and
Discover, which issue their own cards, said they are monitoring
customers' accounts and would issue new cards to anyone whose
information may have been compromised.
Citigroup Inc said it has been notified by processors
of the breach. Bank of America Corp declined to comment
on the matter and Wells Fargo & Co said it was too early
to comment on the impact.
Banks and processors emphasized customers would not be held
liable for any fraudulent charges that may occur.
Michael Simonsen, chief executive of real-estate research
company Altos Research, said he may have been a victim.
Simonsen said he was contacted by Bank of America last week
about his Visa card. Although there were no unauthorized
transactions, the representative told him a vendor or law
enforcement agency had flagged his account as compromised and so
he would receive a new one.
"It was very unusual," he said.
PROCESSING PIPELINE
Global Payments, which has about 3,700 employees, was spun
off from information-services firm National Data Corp in
2001. For the fiscal year ended May 31, Global Payment reported
revenue of $1.9 billion, up 13 percent from the year-earlier
period. According to a company presentation in January, it
es timated fisca l 2012 revenue at ab out $2.15 billion.
Global Payments is scheduled to report fiscal third-quarter
results on Wednesday and a n improvement is expected. On
Wednesday, Sterner Agee raised its st ock p rice target for Global
Payments to $65 from $58.
Global Payments is one of dozens of companies that operate
along the payment-processing chain, between the time a person
swipes a card to pay and the time the payment is delivered.
The account number, expiration date and possibly the
cardholder's name is sent from the point of payment to a
processor, which then connects to Visa, MasterCard, American
Express or Discover. Information is then sent to the card issuer
- often a bank - which ultimately authorizes the transaction.
The actual transfer of money occurs later.
Processing companies, which perform millions of
authorizations each day, are supposed to encrypt card
information. But a breach could occur if someone gains access to
the system and identifies a gap in the encryption.
The information that was likely collected illegally from
Global Payments is called Track 1 and Track 2 data. A person
improperly using the information can transfer the account number
and expiration date to a magnetic strip on a card and then try
to use the card on a website.
Thousands of U.S. banks that issue credit and debit cards
receive daily alerts regarding breaches, said Thomas McCrohan,
an analyst with Jane Capital Markets.
The illegal use of the data could be stymied if an online
merchant asks for the three or four digits printed on a card
known as the "CV code."
"The systems can all be made tighter, but if they're too
tight no transactions would ever be approved," said Edward
Lawrence, a director at Auriemma Consulting Group, a payment
systems consultant. "You still have to allow commerce to occur."
Rep. Mary Bono, a California Republican who chairs the House
Subcommittee on Commerce, Manufacturing and Trade, condemned the
Global Payments breach and urged Congress to adopt stronger
data-security legislation this year.
"You shouldn't have to cross your fingers and whisper a
prayer when you type in a credit card number on your computer
and hit 'enter,'" she said in a statement.
RIPPLE EFFECTS
The breach is the first major instance this year of consumer
information put at risk by technological flaws or hacking, but
there are plenty of examples of massive data breaches in recent
years affecting banks, retailers, technology companies and
payment processors.
Last June, Citigroup said computer hackers breached the
bank's network and accessed data of about 200,000 cardholders in
North America.
Sony Corp also reported several recent
attacks, including one last year in which hackers accessed the
personal information on 77 million PlayStation Network accounts.
Google Inc suffered a major attack on its Gmail
accounts in 2011 that it said appeared to originate in China.
Attacks against Gmail users involved direct attempts to
compromise accounts by tricking users into revealing information
- so-called "phishing" - or by gathering their passwords from
other websites, rather than compromising Google systems,
according to the company.
Separately, TJX Co Inc and Heartland Payment Systems
Inc have had their systems compromised.
On Friday, retailers were already beginning to look for
fraudulent purchases from the compromised card accounts stemming
from the Global Payments breach. They will bear the financial
brunt of those crimes under rules worked out with the card
associations and issuers, analysts said.
"Our merchant community is sitting here girding itself and
looking at their own fraud-prevention strategies and bracing for
the influx of bad transactions," said Tom Donlea, managing
director for the Americas at the nonprofit Merchant Risk
Council. "After Heartland and after the Sony breach, there was
an increase in fraud activity."