CUNA seeks CU info in massive breachWASHINGTON (4/2/12)--The Credit Union National Association (CUNA) is seeking specific credit union information from Visa and MasterCard in the wake of the disclosure Friday that the companies are notifying card-issuing credit unions and banks of a massive data breach at a third-party payments processor, Atlanta-based Global Payments Inc.
In a phone call with CUNA Friday afternoon, Visa said that about two weeks ago it was notified by an entity that it suspected a breach. By March 22, Visa received a file from the entity listing the accounts it believed to be at risk. Visa distributed to issuers with impacted accounts so they could distribute cards to the impacted individuals. Visa said that malware was installed in the entity's system and the card data was "scraped."
Visa did not identify the entity. However, Atlanta-based Global Payments on Friday afternoon issued a press release saying it had discovered the breach in a portion of its systems in early March. It determined card data may have been accessed and said it "identified and self-reported unauthorized access into a portion of its processing system." It "immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact" and "is continuing its investigation into this matter," the press release said.
"It is reassuring that our security processes detected an intrusion," said Global Payments Chairman/CEO Paul R. Garcia. "It is crucial to understand that this incident does not involve our merchants or their relationships with their customers," he added.
Both Visa and Mastercard, in statements e-mailed to CUNA, noted that there was no breach of their systems.
"There has been no breach of Visa systems, including its core processing network VisaNet," said Visa's statement.
"Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards," said Visa's statement.
"It's important for U.S. Visa consumer cardholders to know they are protected against fraudulent purchases with Visa's zero liability fraud protection policy, which exceeds federal safeguards," said Visa. The company encouraged cardholders to "regularly monitor their accounts and to notify their issuing financial institution promptly of any unusual activity." It provided a link for additional consumer security tips (use the resource link).
"Every business that handles payment card information is expected to protect the security and privacy of their customers' financial information by adhering to the highest data protection standards," Visa said. "Visa also supports advanced security layers such as encryption, tokenization and dynamic authentication through EMV chip technology to further protect sensitive account information and minimize the impact of data compromises," it continued.
MasterCard also confirmed today to CUNA that it "is currently investigating a potential account data compromise event of a U.S.-based entity and, as a result' we have alerted payment card issuers regarding certain MasterCard accounts that are potentially at risk."
The Purchase, N.Y.-based company, in a statement sent to CUNA, said it "is concerned whenever there is any possibility that cardholders could be inconvenienced, and we continue to both monitor this event and take steps to safeguard account information. If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution."
It also noted that "law enforcement has been notified of this matter and the incident is currently the subject of an ongoing forensic review by an independent data security organization. It is important to note that MasterCard's own systems have not been compromised in any manner."
The number of cards compromised and the number of credit unions and banks being notified were not announced. The breach was first reported by Krebs On Security blog.
After it was revealed by media that Global Payments was the entity, company shares dropped 13% and the company halted trading of its shares.
Global handles electronic transaction processing services for merchants, Independent Sales Organizations (ISOs), financial institutions, government agencies, and multi-national corporations throughout the U.S., Canada, Europe and Asia-Pacific region. Its solutions encompass credit and debit cards, business-to-business purchasing cards, gift cards, electronic check conversion and check guarantee, verification and recovery including electronic check services and terminal management.
For information on steps to take, see related the News Now article, "What to do to mitigate breach risks--CUNA Mutual."