A credit-card processor that handles billions of dollars of transactions a year was struck by a security breach that may have left hundreds of thousands of account holders at risk of fraud.
Global Payments Inc. had trading halted Friday to stem a stock-price plunge that followed a report by The Wall Street Journal that the Atlanta-based processor had been hacked. The Atlanta-based stock fell as much as 13.7 percent before trading was halted in New York, according to Bloomberg.
While the extent of the breach had not been determined, The Wall Street Journal reported that hundreds of thousands of account holders could be affected. Earlier, the Krebs On Security blog reported that MasterCard and Visa were alerting card-issuing banks of a massive breach at an unnamed processor. Quoting unidentified sources in the financial sector, the blog said more than 10 million card numbers may have been compromised.
People familiar with the breach investigation told the newspaper that it did not appear as big as others in the credit-card industry. In 2005, processor CardSystems Solutions was struck by a breach that exposed 40 million credit-and-debit-card holders to fraud. In 2010 a Miami hacker was sentenced in the theft of 130 million credit- and debit-card records from Heartland Payment Systems.
The Atlanta-based Global Payments processes payments cards, including credit cards, debit cards and gift cards. Last year, the company handled $120.6 billion in Visa and MasterCard card volume, according to the Journal.
The Krebs On Security blog first reported that MasterCard and Visa were alerting card-issuing banks of a massive breach. Quoting unidentified sources in the financial sector, the blog said more than 10 million card numbers may have been compromised.
Gartner analyst Avivah Litan wrote in the technology researcher's blog that her sources within the credit-card business are seeing "signs of this breach mushroom."
MasterCard of Purchase, N.Y., told The Wall Street Journal that law enforcement had been notified and a forensic review was underway by an independent data security organization. A spokesman told the newspaper that MasterCard's systems had not been compromised.
San Francisco-based Visa issued a statement acknowledging a possible compromise involving a "third-party entity" and affecting accounts from all major card brands, the newspaper reported. Visa said its own systems had not been compromised and it had passed on affected card account information to banks.
A bank notice sent by Visa and reviewed by The Wall Street Journal said the breach at a third-party payment processor likely occurred between Jan. 21 and Feb. 25. The notice said the processor is working with a forensic company and the U.S. Secret Service was investigating the breach.
Visa and MasterCard do not issue credit cards, but handle transactions for merchants and banks. Major card issuers include Bank of America, J.P. Morgan Chase & Co., Capital One Financial, Citigroup and Wells Fargo.