Visa confirms processor credit card breach

Share this article:

Visa and MasterCard are investigating a major breach of credit card numbers at a payment processor, the size of which may exceed anything seen in at least three years.

In a statement, Visa said it was "aware of a potential data compromise incident at a third-party entity affecting credit card account information from all major card brands."

Neither card brand has named the compromised entity, but a Friday Wall Street Journal story pinned the blame on  Atlanta-based Global Payments Inc. The company's stock price dropped sharply following the news breaking. A spokesperson did not respond to a request for comment. As of 1:30  p.m. EST, its shares were down roughly nine percent in heavy trading, which has since been halted 

Security blogger Brian Krebs, who first broke the story of the breach in his Krebs on Security blog, said he couldn't confirm Global Payments was the source of the breach.

The amount of victims also is unknown, as the Journal report said some 50,000 cards were impacted, but Krebs said the number could reach 10 million.

Avivah Litan, vice president and distinguished analyst at Gartner, told SCMagazine.com that her sources within the payment industry tell her the breach was sustained by a New York City-based taxi cab/parking garage company, and was the work of a Central American gang.

"The taxi cabs generate millions of transactions over months," she told SCMagazine.com

A city Taxi and Limousine Commission spokesman, Allan Fromberg, told SCMagazine.com that he wasn't aware of any breach, but said there are 65 so-called "medallion agents" who lease taxi cabs to drivers. They serve as merchants, as well, and contract with third-parties to process cab fares that are paid with credit card.

Visa, in its statement, said it was contacting "payment card issuers" with information about card numbers that may have been compromised.

PSCU, which provides financial services, such as bill payment solutions, to 680 credit unions, issued a security alert this week to its members after it was contacted by Visa. The alert, which was obtained by SCMagazine.com, reported that 46,194 of the compromised Visa card numbers belonged to PSCU customers, and that the breach lasted from Jan. 21 and Feb. 25. (The 46,194 number dropped to 26,094 when accounting for duplicate, expired or invalid cards).

No matter the size of the breach, this appears to be the first massive incident involving stolen credit card data since Heartland Payment Systems was hit it to the tune of 100 million card numbers.

"Just when we thought it was safe to go back shopping," Litan joked.

UPDATE: Global Payments has confirmed a breach that happened in early March, but didn't reveal how many card numbers were involved. The company is planning an 8 a.m. EST conference call on Monday with investors.

"[The company] determined card data may have been accessed," said a statement. "It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact."

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.