Global Payments credit-card data breach: How big is the theft?

The Global Payments breach is the largest known credit-card theft from a business or financial institution in the past two years. Last year, data from some 3.4 million credit cards were grabbed.

Bill Sikes/AP/File
A MasterCard is seen in this April 2008 file photo. Cybercriminals recently made off with up to 1.5 million credit-card numbers from Global Payments, a third-party processor of transactions for Visa and MasterCard.

Cybercriminals recently made off with up to 1.5 million credit-card numbers from Global Payments, a third-party processor of transactions for Visa and MasterCard. It’s the largest known credit-card theft from a business or financial institution in the past two years.

During that period, much larger cases of cyber data theft – involving more than just credit-card information – have occurred. For instance, the personal data of 24 million customers was stolen from online retailer Zappos in January. But to experts who watch cybertheft trends, the Global Payments theft indicates a return by hackers to targeting big organizations, not just small ones far from the law-enforcement limelight.

It also represents hackers avoiding direct attacks on banks and financial institutions that have beefed up their security.

"We've seen the number of reported thefts of data from financial institutions declining since 2005 – even as the number of hacks targeting businesses has steadily risen," says Karen Barney, program director at the Identity Theft Resource Center in San Diego, which issues annual reports tallying the attacks.

Data for 3.4 million credit cards were grabbed last year, down from 4.6 million in 2010, the ITRC reported. Information related to payment cards (that is, credit and debit cards) was involved in more breaches – 48 percent – than was any other data type, according to the 2012 Data Breach Investigations Report, another industry study by Verizon.

Among data theft worldwide last year, there were 855 incidents with 174 million compromised records, according to the Verizon study, which was conducted by Verizon's RISK Team and included data from Australian, Dutch, and Irish police as well as the US Secret Service. In the report last year, the number of compromised records came in at an all-time low – 4 million.

Most payment-card thefts, the Verizon study found, are from small businesses, with only about 5 percent last year from large organizations. More than three-quarters of the breaches involved losses of fewer than 10,000 records. Just seven breaches involved more than 1 million records each.

"The criminal community has effectively been deterred from engaging in high-profile activity," Verizon's 2011 study found. "Pulling off a huge heist might achieve fame and fortune, but it also attracts a lot of unwanted attention.”

The Global Payments cybertheft falls squarely in the Verizon report's "mega-breach" category. But it’s counter to the overall trend in which criminals targeting payment cards have largely shifted from big to small businesses to dodge law enforcement.

One notable mega-breach of a card processor occurred in 2008 against Heartland Payment Systems, which netted thieves data on more than 100 million cards. For that crime, hacker Albert Gonzalez was sentenced in 2010 to 20 years in prison.

It's not certain yet what methods were used to snatch credit-card numbers from Global Payments, although early reports indicated a possible link to a New York City street gang and possibly to parking garages in the city, according to Brian Krebs, the cybersecurity blogger who first broke the story last Friday.

"In an alert sent to card-issuing banks ... [Visa and MasterCard] said the window of vulnerability for the breached processor (at that time unnamed) was between Jan. 21, 2012 and Feb. 25, 2012," Mr. Krebs reported on his website. The data stolen included sufficient information for the thieves to counterfeit new cards, he said.

In a press release Sunday, Global Payments said it believes “the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported.” It added, “Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.”

Still, Visa announced Monday that it had dropped the card processor from its list of providers that meet its data security standards. Global Payments officials said they expected that move to be temporary.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.