Security blogger Brian Krebs this morning broke a story that Visa and MasterCard have begun sending alerts to banks about a major breach at an unnamed payment card processing firm. By Mark Lennihan, AP A sign for MasterCard in New York on March 19, 2012. Enlarge By Mark Lennihan, AP A sign for MasterCard in New York on March 19, 2012. Ads by Google Global EMBA at INSEAD Learn & work in synergy Global, yet convenient format global.emba.insead.edu Experian® ID Protection Get Powerful Identity Protection For £6.99 Per Month. Join Today! www.protectmyid.co.uk/id_theft Rise Visa Credit Card No Interest Charges, Affordable. Simple Monthly Fee, Credit to £300. www.risecredit.co.uk Visa and MasterCard have acknowledged the breach, and The Wall Street Journal is now reporting that the processor is Atlanta-based Global Payments. Krebs told Technology Live that Global Payments is expected to issue a statement today. "Law enforcement asked everyone to keep it quiet so as not to disturb investigations," Krebs says. " I'm hearing now from two sources that investigators suspect Dominican street gangs may be involved and that the fraud is focusing mostly on commercial credit and debit card accounts." Credit card processors have been breached before. Heartland Payment Systems lost 130 million payment card records generated by 250,000 merchants and restaurants in 2008. But the stakes are much higher this time around, especially for retailers. Some 46 states have now enacted data breach disclosure laws that require merchants and payment card issuing banks and credit unions to notify customers whose card numbers are stolen. Many of these data loss disclosure laws impose stiff fines if notifications are not done in a timely manner. Massachusetts recently showed that such fines can generate much-needed revenue, while also championing consumer privacy and security, says Ted Julian, of Co3, a Cambridge, Mass.-based start-up that helps retailers manage the repercussions of credit card theft. Depending on the scale of the Global Payments breach, which has not been disclosed, states could see a windfall in fines levied against merchants and card-issuing banks and credit unions who are slow to notify consumers that their credit or debit card number is in criminals' hands. Co3 has just sent out analysis conveying the hypothetical case of one merchant losing the payment card numbers of 1 million customers dispersed in 10 states. If that company failed to meet all 10 disclosure requirements, it would face $1.6 million in fines, Julian says. "Merchants are definitely on the hook for these state disclosures, because they are the ones who have the consumer relationship," Julian says. Gartner banking security analyst Avivah Litan says her sources "are seeing signs of this breach mushrooming. From what I hear, the breach involves a taxi and parking garage company in the New York City area, so if you've paid a NYC cab in the last few months with your credit or debit card be sure to check your card statements for possible fraud." Litan also is hearing about a Central American connection. Unverified reports, she says, point to a "Central American gang that broke into the company's system by answering the application's knowledge-based authentication questions correctly. Looks like the hackers took over an administrative account that was not protected sufficiently."
0 comments:
Post a Comment