April 3, 2012
Visa and MasterCard are notifying card-issuing credit unions and banks of a possible massive data breach involving Atlanta-based Global Payments Inc., a third-party payment processor.
The breach was first reported by Krebs On Security, a blog run by a former Washington Post reporter that focuses on online security issues. The Credit Union National Association (CUNA) confirmed the breach Friday morning.
Krebs described the breach as potentially being “massive,” and early indications are that it took place sometime between late January and late February and involves 10 million cards, though early estimates often prove to be low. Hackers appear to have obtained both track 1 and track 2 card data, which allows easier creation of counterfeit cards.
Visa Inc. told CUNA that it "is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet."
"It's important for U.S. Visa consumer cardholders to know they are protected against fraudulent purchases with Visa's zero liability fraud protection policy, which exceeds federal safeguards," said Visa.
Visa has already removed Global Payments from its list of "compliant service providers,” saying the processor would be eligible to re-apply if it can show that its security meets Visa's standards.
MasterCard also confirmed that it "is currently investigating a potential account data compromise event of a U.S.-based entity and, as a result, we have alerted payment card issuers regarding certain MasterCard accounts that are potentially at risk.”
In a statement sent to CUNA, MasterCard said that "law enforcement has been notified of this matter and the incident is currently the subject of an ongoing forensic review by an independent data security organization. It is important to note that MasterCard's own systems have not been compromised in any manner."
Later in the day Global Payments Inc. announced part of its system had been accessed. It promptly notified law enforcement authorities and industry parties to allow them to minimize potential cardholder impact, said Global Payments.
Washington is one of only two states in the nation to have passed data breach legislation, allowing financial institutions to sue to recapture card reissuance costs from the negligent party. However, as the extent of the breach is not fully known, its impact on credit unions in the Northwest also remains to be seen. Stay tuned to Anthem and the Northwest Credit Union Association (NWCUA) homepage for more up-to-the-minute information.
Questions or Concerns? Contact Matt Halvorson, Anthem Editor: firstname.lastname@example.org.