Global Payments, the Atlanta-based processor whose North American payment systems were breached earlier this year, is standing by its initial estimate that fewer than 1.5 million credit card numbers were exposed to hackers.
But, in a conference call on Tuesday, Chairman and CEO Paul Garcia revealed that through a forensic examination into the incident, investigators detected another unauthorized intrusion: this one affecting a database that contains the applications of merchants who sought to have Global Payments process their transactions. The two breaches don't appear linked.
"It is unclear if criminals even looked at this information, much less took it from our systems," he said. "However, we are notifying certain individuals in the U.S. whose personal information has been subject to access."
Saying that investigators were still "scrubbing the data," Garcia would neither specify how many merchants were impacted nor what type of information may have been disclosed. However, according to an Associated Press report, the applications may include names, addresses, and Social Security, driver's license and bank account numbers.
Telling of what kind of data may have been involved, victims are being provided with credit monitoring and identity theft protection services, he said.
As for the first incident, Garcia affirmed an earlier finding that the hackers accessed only magnetic stripe-encoded Track 2 data, which is up to 40 characters in length and includes a card's primary account number, expiration date, service code, PIN and CVV number.
And while it stands by the 1.5-million figure, the company has provided its payment network, including Visa and MasterCard, with all of the card numbers it processed on the affected systems, dating back to a little over a year before it detected the breach in early March.
The move was "designed to cast a wide net to protect cardholders," Garcia said.
