Massive’ credit card data breach involves all major brands
Global Payments Inc., which processes credit cards and debit cards for banks and merchants, has been hit by a security breach that has put some 50,000 cardholders at risk, according to people with knowledge of the situation.
The full extent of the breach couldn’t be determined, one of the people said. It wasn’t immediately clear if cardholders have been hit by fraudulent transactions.
Representatives of Atlanta-based Global Payments, a so-called third-party processors of payment cards, including debit cards, credit cards, and gift cards, couldn’t be reached for comment.
The news comes as MasterCard Inc. and Visa Inc. have been alerting their card-issuing bank customers about the potential breach. It wasn’t immediately known if the banks are planning to reissue cards to their customers.
MasterCard said law enforcement has been notified of the matter and an “independent data security organization” is conducting a forensic review of the matter.
“MasterCard’s own systems have not been compromised in any manner,” a company spokesman said in a statement. The company will “continue to both monitor this event and take steps to safeguard account information.”
The spokesman declined to say how many cards may have been compromised or how many banks it is notifying.
Visa said in a statement that it is aware of a possible compromise involving a “third-party entity” affecting card account information from all major card brands.
“There has been no breach of Visa systems, including its core processing network VisaNet,” the company said. Visa said it has provided banks with affected account numbers “so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards.”
A notice Visa has sent to banks said it had been notified of a security breach within a third-party payment processor. The estimated window for the breach was Jan. 21 and Feb. 25, according to a copy of the notice reviewed by The Wall Street Journal.
MasterCard and Visa are pushing into a new business: using what they know about people’s credit-card purchases at brick-and-mortar stores for targeting them with ads online.
“The network intrusion may have put accounts at risk of being stolen,” Visa said in the notice, adding that a forensic company is working with the company in question and the U.S. Secret Service is also investigating the breach. “The investigation is still in the early stages and if additional accounts are determined to be at risk” additional alerts will be distributed.
Visa has a zero-liability fraud policy that “exceeds federal safeguards” and protects Visa cardholders against fraudulent purchases but encourages cardholders to “regularly monitor their accounts” and notify their banks “promptly of any unusual activity,” the company said.
Visa and MasterCard don’t lend or issue cards to consumers; rather, they handle transactions for banks that issue their cards and those that handle transactions for merchants.Visa has more than 648 million U.S. credit, debit and prepaid cards and MasterCard has more than 308 million U.S. credit, debit and prepaid cards in the market, according to the Nilson Report, a payments-industry newsletter.
Bank of America Corp., J.P. Morgan Chase & Co., Capital One Financial Corp., Wells Fargo & Co. and Citigroup Inc. are among the largest issuers of Visa and MasterCard cards.
First Data Corp., an Atlanta-based processor that competes with Global Payments, said it wasn’t involved in the matter. Card-issuing banks “should look to card brands for information, which is the standard practice for the brands,” First Data said in a statement.
Discover Financial Services said in a statement that it is monitoring accounts for suspicious activities and will reissue cards to customers “as appropriate.”
A spokeswoman for Bank of America said she couldn’t comment on a specific breach but said it will notify customers and reissue their cards if they believe their information has been compromised at a third-party location.
Other banks, including J.P. Morgan and PNC Financial Services Group Inc., declined to comment.
The breach was reported earlier Friday by the Krebs On Security blog.
—Matthias Rieker contributed to this article.
[B]Write to [/B] Andrew R. Johnson at [EMAIL="[email protected]"][email protected][/EMAIL]