This story was updated with more information at 12:45 p.m. ET and at 5 p.m. Friday.
MasterCard and Visa have reportedly suffered a data breach at a processor that may have resulted in more than 10 million compromised credit- and debit-card numbers.
On his KrebsonSecurity blog, noted cybersecurity researcher Brian Krebs said the breach, at an unnamed U.S. card processor, occurred between Jan. 21 and Feb. 25. In warnings to banks across the country, Visa and MasterCard said full Track 1 and Track 2 data was stolen, "meaning that the information could be used to counterfeit new cards," Krebs said.
(Data on Tracks 1 and 2 on magnetic-stripe cards include a cardholder's name and account number, as well as information that is read by ATM and credit-card processing machines, including the card's expiration date, security-verification code and encrypted PIN.)
Krebs' sources in the financial sector called the breach "massive" and said it may involve more than 10 million compromised credit card numbers. Many of the cards had been used "in parking garages in and around the New York City area."
It is not known how many individual cards were compromised. Visa and MasterCard did not return calls for comment from SecurityNewsDaily.
On Wednesday (March 28), Public Service Credit Union (PSCU), a group that provides online financial services to credit unions, alerted 482 credit unions impacted by the breach, Krebs said. A total of 56,455 members' Visa and MasterCard accounts were compromised, the PSCU said, and fraudulent activity was detected on 876 accounts.
UPDATE: Brian Krebs updated his blog posting later Friday morning to include confirmation from Visa, which stressed that the possible breach was at a "third party entity affecting card account information from all major card brands."
The Wall Street Journal reported that the third-party entity was Atlanta-based payment processor Global Payments, Inc.
MSNBC and FoxNews.com received confirmation from MasterCard that the company was "currently investigating a potential account data compromise event of a U.S.-based entity" and that the breach was "the subject of an ongoing forensic review by an independent data security organization."
Both Krebs and financial-security expert Avivah Litan heard from sources that the breach was tied to a Latino gang — Krebs called the gang "Dominican," Litan "Central American" — operating in the New York area.
Litan said the gang may have broken into computers at a New York taxi-and-parking company, adding that "if you’ve paid a NYC cab in the last few months with your credit or debit card — be sure to check your card statements for possible fraud."
UPDATE: At the end of the working day Friday, Global Payments, Inc., confirmed to Krebs that it had been breached.
"In early March 2012, the company determined card data may have been accessed," the company's statement read in part. "It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact. The company is continuing its investigation into this matter."
The company will be holding a conference call at 8 a.m. ET Monday (April 2). Krebs has information on how to access the conference call.