If a gang of robbers managed to heist $1.5 million from your local bank in less than 45 minutes and then disappeared into thin air, chances are good that the papers wouldn’t consider it a “contained” attack. But pull the same stunt on a credit industry processor and suddenly everything is totally under control – at least, that’s what Global Payments, Inc. would like America to believe.
Just days ago the Atlanta-based company, which processes credit card payments for MasterCard and Visa, ‘fessed up to having inadvertently compromised more than 1.5 million different accounts thanks to a surprise attack on their server. It’s the latest in a disturbing trend of mass hacks aimed at corporate America and a foreboding sign that even our most secure networks are woefully unprepared for the threats of the digital age.
According to Privacy Rights Clearinghouse, a San Diego nonprofit, there were more than 535 security breaches on credit card databases last year – and since 2005, more than 545 million different accounts have been compromised by hackers. Those figures alone are enough to get even the most grizzled IT specialist worried, but the alarming thing about the Global Payments raid is that it’s the first direct attack on a third-party processor that we can remember.
Why is that important? Well, it’s like learning that the thieves that used to steal Twinkies from convenience stores have now figured out a way to burglarize an entire Twinkie warehouse. Because handling credit card payments was the primary service offered by Global Payments, Inc., much more information is stored in their database than is stored in, say, Sony’s online network. In fact, the company is America’s seventh-largest processor, and it handled more than 2.44 billion transactions last year – for more than 800,000 different merchants.
At the moment, Global Payments is trying to assure everyone that no instances of fraud have actually been reported yet. The CEO of the company is claiming that the attack was “absolutely contained” and that every bank and retailer that had customer data exposed has been notified. However, this hasn’t stopped their stock from dropping 9 percent since last Friday, according to BusinessWeek.
Luckily for American consumers, this breach shouldn’t make too much of a difference to our financial portfolios. First of all, the hackers didn’t get their hands on any addresses, names or Social Security numbers – only card numbers. And under the CARD Act, the burden of fraudulent purchases is the card issuers’ to bear. Cardholders can only be held liable for a maximum of $50 in criminal purchases, so even if your credit card number was stolen and used in transactions, you won’t lose anything. The only entity in trouble here is Global Payments – and the trouble they’re in is serious.
The stock market plunge is no laughing matter, and Visa has already removed Global Payments from their list of trusted affiliates. On top of that, the processor will also have to shell out a handsome amount of money to cover the damages caused by the raid. While no figures have been tossed out yet, a similar attack to Heartland Payment Systems in 2009 cost that company more than $139 million in fines and lawsuits. It’s safe to say that Global Payments will end up coughing up something in that ballpark.
If there’s anything to learn from this breach, it’s that we as consumers should be more concerned than ever. This attack is a prime example of how the demand for faster networks and faster payment methods is outpacing the financial industry’s ability to keep them secure. When the companies whose sole responsibility is to keep your credit card payments safe and efficient can now be compromised in under an hour by a hacker, what does that say about the rest of our sensitive information?
We’re not sure, but we don’t like it.