On Sunday, card processor Global Payments announced that data from 1.5 million credit/debit card accounts had been “exported.” It isn’t so much the size of this breach that is significant, but the fact that the company breached is one of the world’s largest payment processors.
Visa has allowed them to continue processing credit cards, but dropped them off their service provider registry (which is a BIG deal). The breach only affects North American merchants and cardholders. To give you an idea of how bad a breach at a large credit card processor can be, if a month’s worth of the transactions they handle were exposed, it is entirely possible that more than 90% of all cardholders in the US would need new credit/debit cards.
This doesn’t happen often. I only know of two other cases where a payment processor was hit by a breach. CardSystems Services, as a business, was literally destroyed by their breach. VISA and AMEX revoked processing rights, forcing CardSystems to have to shut down operations and sell off assets almost overnight. Heartland Payment Systems is the most recent case, and the second largest breach ever at 130 million. They were also stripped from the registry, but managed to recover, regain PCI compliance, and get back onto the registry within a year.
Global Payments had a public conference call at 8AM this morning that I didn’t have time to attend, but which has resulted in an explosion of news stories on the breach.
The worst thing I’ve been able to determine from the details so far, is that it seems Global Payments was storing Track Data – information swiped from the magnetic stripe on the back of the card. The PCI DSS explicitly forbids storing track data (requirement 3.2.1), and PCI considers the storage of sensitive data to be one of the most serious PCI violations. CardSystems was effectively shut down for a lesser violation, though their breach was much larger.
It will be interesting to see if any of the details of the breach are released. These details are essential for the rest of the industry to learn from Global’s mistakes. I’d like to see:
- The attack vectors used, and the level of sophistication necessary to breach Global.
- How long the attackers had access to systems
- If track data really was stored, and what Global’s excuse for such a violation is
- Why the breach was limited to only 1.5 million accounts in North America. A large processor like Global might process 1.5 million transactions in just a few days. Why weren’t more accounts stolen? Why only North America? Perhaps some effective segmentation was in place? That would be good news the PCI Council would be happy to point out.
- And of course, we’ll hopefully eventually find out who the perps were, and their level of hacking expertise.
Time will tell.
Adrian Sanabria is a security consultant and PCI Qualified Security Assessor for Sword & Shield Enterprise Security. He draws on years of security experience in financial institutions to help large and small companies solve complex compliance and security problems. He is skilled with both high-level design as a system and security architect, and detailed analysis with a background in penetration testing, forensics and incident response. His blog is averysawaba.blogspot.com, and you can reach him on Twitter @sawaba.