updated 4/2/2012 4:51:42 PM ET 2012-04-02T20:51:42

This story was updated at 4:30 pm ET Monday (April 2).

Amid the details surrounding last week's disclosure of the massive credit card breach at Global Payments Inc., an incident which left at least 1.5 million Visa and MasterCard customers at risk, security researchers have noticed some discrepancies that call into question the validity of what the affected companies have admitted to.

Cybersecurity researcher Brian Krebs, who broke the story last week, said that the timeline outlined by Global Payments of what was stolen, and when, does not sync with that of MasterCard and Visa.

(Visa pulled its seal of approval for Global Payments yesterday (April 1), and has asked the Atlanta-based payment processor to revalidate its compliance processes.)

In their initial incident report to banks on Friday (March 30), Visa and MasterCard said the breach at Global Payments (at the time, Global Payments had not been identified as the victim) occurred between Jan. 21 and Feb. 25, and that full Track 1 and Track 2 data was stolen — enough information to counterfeit new credit cards.

However, in a statement issued the same day, Global Payments said it detected the breach "in early March 2012," and that only Track 2 data "may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals," Krebs wrote in his KrebsonSecurity blog.

Also, Global Payments said its own security systems identified the breach. Krebs and financial security expert Avivah Litan never said who initially found the breach; they seem to have issues with Global Payments' claim that it did, but they don't explain why.

"The apparent discrepancy over the timeline of the Global Payments breach and the means by which it was discovered and reported leaves several unanswered questions," Krebs wrote. "Was the initial alert by Visa and MasterCard that prompted this story related to a separate breach? If so, was Global Payments involved?"

Litan echoed Krebs' concern. In a post on the website of her company, information technology research firm Gartner, Inc., Litan said that following a phone call with Global Payments, "their breach seems to be very different than the one Visa issued an alert on."

"Sounds like there's a lot more going on out there than the payment industry  and law enforcement have nailed down and are prepared to talk about," she wrote.

The story may be far from over. In a tweet sent out this morning (April 2) at 7:30 a.m. (EST), Krebs wrote, "Hackers who tell me they've been inside of Global Payments since early 2011 have what appears to be GPN's internal disaster recovery plan."

UPDATE: In a second blog posting today (April 2), Krebs reiterated that Global Payments' conference call this morning "created more questions than it did answers, at least for me."

Krebs noted that The New York Times on Saturday said it had heard from two sources that this was the second breach at Global Payments in the past year, a detail that Krebs himself had not heard from sources.

But Krebs said an unnamed hacker told him something even worse: that Global Payments' network had been "under full criminal control" from January 2011 until March 25, 2012. As evidence, the hacker gave Krebs a copy of what appeared to be an internal Global Payments document detailing security plans for its databases.

The Times story on Saturday also shed light on why someone might have wanted to leak news of the data breach before Global Payments could make a statement.

It paraphrased an unnamed bank official who said, as the Times put it, that "banks had been frustrated with the pace of disclosure by Global Payments" and that Global Payments "had provided little information on where the breaches took place, how accounts were hacked and other details that could indicate which customers might be vulnerable."

On Monday, Global Payments launched a website,, to provide information about the matter.

"The company believes the affected portion of our processing system is confined to North America, and less than 1.5 million card numbers may have been exported," the site said. "Nevertheless, if you believe your credit card information is at risk, immediately contact your card issuing institution or bank and all other relevant financial institutions."

It is not clear whether any end-users have yet been notified by their banks that their credit or debit cards may be at risk.

Litan, speaking to, said the language of Global Crossing's statement was unusual.

"Typically when you disclose [a breach], you say how many cards were potentially compromised rather than exported," she said.

And Krebs told in the same story that the number of affected cards "is probably far larger than the 1.5 million number they are citing in their statements, because those statements appear to be based on a figure that the company can say with relative certainty were downloaded or copied from its systems."

However, on his own blog, Krebs said there still were too many uncertainties, especially with regard to the information both he and Litan had received from sources Friday, which hinted at street-gang activity and a parking-garage company in New York City.

"I continue to be nagged by the possibility that my initial reporting may have been related to a separate, as-yet-undisclosed breached at another processor," he wrote.

© 2012 SecurityNewsDaily. All rights reserved


Discussion comments


Most active discussions

  1. votes comments
  2. votes comments
  3. votes comments
  4. votes comments