Concerns about credit-card security heightened Friday after a little-known Atlanta company disclosed it had been hit by hackers, potentially exposing hundreds of thousands of account holders to fraud.
The breach at Global Payments Inc. (GPN) is the latest in a wave of data attacks that have heightened consumer concerns about identity theft. The card industry has been particularly vulnerable to those concerns amid a slew of big breaches in recent years as more Americans choose to pay with plastic rather than cash.
The extent of the breach couldn’t be determined and it wasn’t immediately clear if cardholders have seen fraudulent transactions. Consumers typically aren’t liable for unauthorized purchases made on their cards.
The company declined to say how many cards were at risk, but people familiar with the investigation estimated that it could be hundreds of thousands.
The company said it “identified and self-reported unauthorized access into a portion of its processing system.” It added that in early March it “determined that card data may have been accessed.”
Global Payments didn’t disclose what type of data had been accessed, but said it had notified “appropriate industry parties to allow them to minimize potential cardholder impact.”
News of the breach broke in the morning but Global Payments confirmed it only after the market close. Global Payments shares tumbled 9% to $47.50 a share on the New York Stock Exchange, after people involved in investigating the breach identified the company to The Wall Street Journal as the victim of the attack. The stock was halted at midday. The company is scheduled to report quarterly earnings on April 4.
The breach underscores the mazelike network of the U.S. payment system, where little-known companies play important roles in processing billions of transactions each day. Global Payments is part of a group of companies called “third-party processors,” that serve as middlemen between merchants and banks.
Global Payments was the seventh-largest “merchant acquirer” in the U.S. last year, according to the Nilson Report, a payments-industry newsletter. Merchant acquirers have contracts with retailers to handle the processing of card transactions, including debit cards, credit cards and gift cards. Such third-party processors have been the target of big hacker attacks in the past.
People familiar with the breach probe said it didn’t immediately appear as large as some of the other big incidents that have been reported in recent years. More than 40 million credit-and-debit cards were exposed in 2005 when hackers breached CardSystems Solutions Inc., another company that processed transactions for merchants.
Word of the breach circulated on Friday after MasterCard Inc. (MA) and Visa Inc. (V) began alerting card-issuing banks that consumer transaction data may be at risk. Visa told the banks that the cards were exposed between Jan. 21 and Feb. 25, according to a memo reviewed by The Wall Street Journal.
“Visa has recently been notified by a third-party processor that they have detected a security breach within their payment-processing network,” Visa said in a memo to banks.
Some recent and large examples of data breaches
|Global Payments||January – February 2012||Details unknown, estimated 50,000 card accounts at risk
|Citigroup||May 2011||Card numbers, names, email addresses from 360,000 accounts
|*Epsilon Data Management||April 2011||Customer names, email addresses accessed
|Heartland Payment Systems.||January 2009||Card numbers, expiration dates, internal bank codes stolen
|TJX Cos.||January 2007||Up to 90 million credit, debit card numbers stolen
|CardSystems Solutions||June 2005||40 million cards exposed|
*unit of Alliance Data Systems Corp.
MasterCard and Visa both stressed that their networks weren’t compromised in the breach.
“The investigation is still in the early stages and if additional accounts are determined to be at risk” additional alerts will be distributed, Visa said.
Visa said that the incident is being investigated by the U.S. Secret Service, which typically probes such breaches, as well as an unidentified forensic company.
News of a breach was first reported Friday morning by the Krebs On Security blog, although it didn’t identify the company that was affected.
It wasn’t immediately known how many cards would be reissued to customers. Banks are often reluctant to do so because the administrative cost associated with re-issuing cards often exceeds the cost of the actual fraud that occurs.
The big credit-card division of J.P. Morgan Chase & Co. (JPM) and Discover Financial Services (PNC) said they are monitoring accounts for suspicious activities. Discover also said it reissue cards to customers “as appropriate.”
A spokeswoman for Bank of America Corp. (BAC) said she couldn’t comment on a specific breach but said the company will notify customers and reissue their cards if they believe their information has been compromised at a third-party location.
Global Payments handled $120.6 billion in Visa and MasterCard card volume, up 11% from the prior year, according to Nilson. It competes against First Data Corp. and units of big banks including Bank of America, J.P. Morgan and Citigroup Inc. (C) to process transactions.
Global Payments’ revenue rose 13.2% in 2011 to $1.9 billion. It posted a profit of $209.2 million, up from 2.9% from the prior year.
WSJ.com: By Robin Sidel and Andrew R. Johnson