This morning, Global Payments held a conference call with investors and analysts covering their earlier breach announcement and projected earnings. Global Payments had also released an update advisory yesterday stating that "the company believes that the affected portion of its processing system is confined to North America and less than 1,500,000 card numbers have been exported" and that only Track 2 card data may have been stolen.
In discussing the breach, Paul Garcia, Chairman and CEO of Global Payments, reiterated that the investigation is ongoing, but that the 1.5m stolen card details likely represents an upper bound to the loss and that it only affected a "handful" of North American servers (i.e. this was not a Merchant breach). At this point, they are not aware of any fraudulent transactions related to the data theft.
Obviously, given the fact that they self-reported a breach, Global Payments is no longer Visa PCI certified and must now attempt to re-earn their ROC (Report on Compliance). Although they're not Visa PCI certified, that doesn't mean that they cannot process Visa cards — rather that, by being non-compliant, they will be liable for fines and additional losses. When asked during the call as to the likely charges and liability of the breach, listeners were reminded several times that the investigation is continuing and that the company has sufficient insurance to cover prospective liabilities. It was stated that Mastercard may take similar PCI certification actions.
I thought it was interesting that Global Payments had received assurances from competitors that they wouldn't capitalize on the breach — since any one of them could be similarly affected in the future (if not already breached, but undetected so far). I'm not sure how credible that is, and I'd be surprised that some of the competitor's sales folks aren't already independently using the breach to further their own agendas.
Global Payments stressed that, contrary to rumors, this is the first breach that the company has suffered. The breach itself is believed to be contained and was picked up by their server data monitoring and breach detection tools — "just not well enough" (no hints were made as to the nature of the technology deployed).
So, while the forensics investigations continue, what does it all mean? Based on the information disclosed thus far, it sounds like Global Payments is doing everything the right way. They disclosed as soon as they had enough information and confidence in their discoveries to do so. They've been using data monitoring tools to spot breaches — albeit these controls proved to be insufficient to stop the threat and don't sound like they were real-time reporting enabled. They've pulled in experts to help them get to the bottom of the breach. And they're aware of the business consequences — having taken out sufficient insurance to protect against associated liabilities. What's left?
Last week a number of 10,000,000 had been thrown out as to the size of the theft. It now appears that 1,500,000 cards were stolen. No discussion was provided as to what other data had been exposed (i.e. no "evidence" that it had actually been stolen). Regardless, while 1.5m is less than 10m, it's still a damned big number and it will cost the card distribution agents quite a bit of money to clean up and reissue cards — all of which Global Payments will need to cover. I think that lessons have been learned from the big data breaches like TJX, but it would appear that the cost of a breach is largely independent of the number of cards actually lost.
Global Payments has been deliberately cautious in revealing any details as to how the incident occurred and the nature of the systems that failed to protect against the penetration or alert to the breach. I'd expect that time will shed more light on the attack vectors. It is important that such details are exposed as and when it is prudent to do so. While Global Payments is a multi-billion-dollar enterprise, there are still hundreds of other card clearing houses around the world that could benefit from detailed disclosures of the incident so that they could construct better defenses. While these may be competitors to Global Payments, we — as in you and I — are the potential victims of their inadequate defenses and I'd like assurances that they're doing better than they are today.
By Gunter Ollmann, Chief Security Officer at Vectra
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services
Minds + Machines