data protection

Visa drops Global Payments after hackers compromise 1.5m accounts

Warwick Ashford

Visa has dropped its seal of approval for credit and debit card processor Global Payments in the wake of a data breach involving 1.5 million accounts.

Visa has removed Global Payments from its list of those it considers to be compliant service providers, according to the Wall Street Journal.

Three US credit firms – Visa, MasterCard and Discover – warned that credit card holders' personal information could be at risk after the breach was revealed late on Friday.

In a statement, MasterCard said: "[We are] concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information.

"If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution."

Visa echoed MasterCard's statement, emphasising that its customers are not responsible for fraudulent purchases, according to the BBC.

Discover Financial Services said it was monitoring accounts and would reissue cards if necessary.

Customer data exposed in breach

On Sunday, Global Payments issued a statement saying that "the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers may have been exported… Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained.”

But security blog KrebsOnSecurity, which first reported the story, said it remains unclear whether additional accounts beyond these 1.5 million were exposed by the breach.

"It’s also unclear how Global Payments’ timeline of the incident meshes with that of MasterCard and Visa," the blog said.

This latest breach of the MasterCard and Visa data is an all too painful reminder of why companies need to automate and enforce strong access controls

Kevin Cunningham, SailPoint

In an alert sent to card-issuing banks, the card associations said the window of vulnerability for the breached processor was between 21 January 2012 and 25 February 2012. The alert also said that enough data was exposed for hackers to make counterfeit cards.

Yet, in a statement on Friday, Global Payments said its own security systems identified and self-reported the breach, which it said was detected in early March 2012.

In its follow-up statement on Sunday, the company said cardholder names, addresses and social security numbers were not obtained by the criminals.

A technical problem affecting the Visa network prevented some US customers from using their credit and debit cards for 45 minutes on Sunday, but Visa told The Associated Press that the outage was caused by an update it made to its system, and was not related to the Global Payments breach.

Businesses still vulnerable to security breaches

Kevin Cunningham, president and co-founder of identity governance software firm, SailPoint, said the incident shows that large-scale security breaches are still taking place, and when they do they are very impactful to the business.

"To prevent these types of breaches, organisations must put security controls in place to conduct regular reviews of user accounts and monitor privileged user account activity to spot rogue accounts," he said.

Without strong, enforceable password policy and detective controls over user accounts, Cunningham said companies easily fall victim to intruders who break in and set up accounts to siphon off customer data. 

"This latest breach of the MasterCard and Visa data is an all too painful reminder of why companies need to automate and enforce strong access controls," he said.


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy