Remember that totally contained cyber-raid on payment processing giant Global Payments that compromised more than 1.5 million different credit card accounts in April? It looks like it might not have been so contained after all. Gee, who would have guessed?
This week, the disgraced processing firms CEO, Paul Garcia, held a conference call with the press. In it, he explained that Global Payments might have been a bit too hasty in concluding that no sensitive personal information was stolen by the hackers who heisted millions of credit and debit card numbers two months ago.
After investigating the intrusion more carefully, the companys analysts discovered that the hackers indeed obtained access to personal information specifically the information of merchants who were applying to have their sales processed.
What we initially announced did impact less than 1.5 million cards that we believed were taken by the bad guys for nefarious purposes, Garcia said. This is something very different. We uncovered that the bad guys may have had access.
Merchants who were waiting on Global Payments to approve an application in April might want to grab a stiff drink about now. In addition to storing credit and debit card numbers, those compromised databases also contained merchant names, addresses, drivers license numbers, social security numbers and worst of all bank account numbers. Basically, they stored everything a thief would need to bankrupt a business, steal an identity, create a bunch of credit cards in someone else’s name or destroy a person’s credit rating.
But even with all of this at risk, Atlanta-based Global Payments has yet to divulge the identities of the merchants and banks involved, even though theres already anecdotal evidence of fraud. They also have yet to publish their projected losses from the breach, meaning that the shareholders of the $3.2 billion dollar company are also being left in the dark.
I am sorry I am not more forthcoming on this, but this is still evolving as we speak, Garcia said.
This reads like one big lesson on how not to handle a massive information theft. Global Payments should have been more forthcoming about the damage from the start. They should have gone public with the merchants identities so as to alert their respective customers. They should have also come clean about the secondary intrusion as soon as they found out about it instead of sitting on it while the fire died down. They arent doing themselves any favors by continuing to string their customers and shareholders along, especially considering how dear a toll their silence has taken already.
Though the Privacy Rights Clearinghouse estimates that more than 500 similar breaches have occurred since last year, this is by far the largest in recent memory. Since news of the breach first broke on April 19th, Global Payments share value has plummeted from $45.19 down to $40.47. Additionally, both Visa and MasterCard have removed the company from their list of preferred processors. For a company that processed payments for more than 800,000 merchants last year, thats not exactly good news.
Remarkably, with the exception of this one incredibly massive screw-up, Global Payments continues to insist that the rest of the breach was totally contained. They plan on contacting the customers whose data was compromised, they say, and they will also pay for credit monitoring and identity protection insurance if an account has been breached. The company has also drafted an independent consultant to review its security protocols. Garcia hopes that Global Payments will become eligible for re-certification by Visa and MasterCard just as soon as they make the consultant’s recommended changes.
Were going to do this right, he said.
Will Global Payments interpretation of doing it right be enough to right the slowly sinking ship? We will wait and see.