Global Payments Breach Exposes Data From Applicants for Merchant Accounts

The hackers who broke into merchant processor Global Payments Inc.’s computer systems added a new chapter to the disreputable history of data breaches by gaining access to information from applicants for merchant accounts, the company disclosed late Tuesday.

Global’s revelation apparently is the first publicly known incidence of merchant-applicant information being affected by a data breach. Earlier compromises, even Global’s when the company disclosed its breach March 30 and held a conference call April 2, involved only card numbers or related data from card users.

“We have recently learned of potential unauthorized access to servers containing personal information from a subset of merchant applicants,” Global chairman and chief executive Paul R. Garcia said in a conference call with analysts. “It is unclear whether the criminals ever even looked at this information, much less took it from our system.”

Nevertheless, Global is notifying “certain individuals” in the subset of U.S. account applicants Garcia referred to that information they provided might be at risk of falling into the wrong hands. Global is providing affected applicants with free credit-report monitoring and $1 million in identity-protection insurance. Garcia would not give details about the specific types of data at risk, but applications for payment card acceptance typically are lengthier and ask for more financial information than the forms consumers fill out to get a credit card.

The potential compromise of merchant-applicant data became known only lately in a probe that involves government as well as private-sector investigators, and that’s why Global didn’t report it until now, according to Garcia. “We did not know of the potential access to personal information at the time of our April announcement or we would have announced it then,” he said, adding that Global believes “this incident is contained” and that applicants’ data are now safe from unauthorized eyes.

Atlanta-based Global gets its transaction volume from merchants signed by independent sales organizations as well as others signed by its own direct sales force. The company didn’t break out from which sources the potentially compromised merchant applications came.

Global, meanwhile, is sticking with its earlier statement that 1.5 million card numbers at most were potentially stolen. The information came only from Track 2 on the cards’ magnetic stripes, which means hackers did not get names and Social Security numbers, according to Garcia. But to help card networks and issuers thwart fraud, Garcia said Global is providing them with a larger amount of card numbers to monitor just in case, numbers processed on the affected systems going back a little more than a year before the company discovered the breach. Asked by an analyst about fraud that may have occurred on compromised cards, Garcia said so far he has only “anecdotal” information but no hard numbers.

Garcia also said Global is working with the card networks to be restored to their lists of processors compliant with the Payment Card Industry data-security standard (PCI), though he wouldn’t say when Global would get new report on compliance, or RoC, that would clear the way for its restoration as a processor in good standing. Global has already made improvements to its hardware, software and other systems to boost security and has hired a new qualified security assessor (QSA) to determine if it meets the PCI rules, Garcia said.

Nor would Global say how big the financial hit from the breach would be. In addition to its own costs for boosting security, Global is likely to get bills from Visa Inc. and MasterCard Inc. for expenses their card issuers incur to reissue cards and mitigate any fraud attributable to the breach. Global almost certainly will face fines from the networks, too. Garcia expects to have something to say about expenses when the company reports its earnings July 26 for the fourth quarter of fiscal 2012, which ended May 31.

Garcia said Global’s customers have been “unbelievably supportive” since the breach was announced and that even competitors have been supportive and haven’t tried to poach its merchants. He did say the company offered several large prospective customers the option of holding off on signing contracts with Global until the new RoC is done, and one took Global up on that offer.

nn