Global Payments Inc. still expects it could spend about $120 million as a result of the data breach it reported in early March, but new information from the company gives a glimpse of just where that money is going. The big merchant processor, however, didn’t give any new details in its latest quarterly report and earnings conference call on just how the breach happened.
Global earlier said that no more than 1.5 million card accounts may have been compromised through what it is calling an intrusion into one of its processing systems for North American merchants. The computer intruders also may have gained access to personal data about a number of applicants for merchant accounts.
For now, the Atlanta-based company is continuing to beef up its computer security. “We are on track to hit our target of completing our remediation efforts to our processing systems by calendar year end,” chief financial officer David Mangum told analysts at Global’s earnings conference call with stock analysts Sept. 27.
A company spokesperson declined to comment to Digital Transactions News, but Mangum said during the earnings call for the first quarter of fiscal 2013 ended Aug. 31 that breach-related expenses in the period totaled $24 million. In all, Global has already spent $108.4 million on the breach, according to the company’s latest quarterly report to the Securities and Exchange Commission, filed Tuesday.
“We continue to anticipate that for the full year of 2013, intrusion costs will total about $55 million to $65 million or a net expense of $25 million to $35 million after expected insurance proceeds of $28 million are applied,” Mangum said at the earnings call, according to the Seeking Alpha transcript service. “This, of course, includes the $24 million amount we recorded in the first quarter.”
The $108 million total includes $67.4 million in fraud losses and anticipated fines and other charges from the card networks, although Global didn’t break out fines from fraud losses. Another $43 million through Aug. 31 went for professional fees and other expenses for remediation as well as credit monitoring and identity protection for the merchant-account applicants. Global says it has $30 million in insurance coverage for the incident, with $2 million already paid.
The current estimates thus would place total costs anywhere between $111.4 million and $121.4 million. At a mid-point of $116.4 million, the cost per compromised card would be about $78.
Global has hired a qualified security assessor (QSA) to review its systems and prepare a so-called report on compliance. If the report shows that Global meets the requirements of the Payment Card Industry data-security standard (PCI), the card networks would restore Global to their lists of PCI-compliant processors. Global had passed its last PCI inspection before the breach, but the networks typically deem a processor to be out of compliance in the event of a breach. Global is continuing to process card transactions during the remediation process and has said it expects its PCI-compliance status to be restored.
Global already is defending itself against one class-action lawsuit filed against it after the breach and says “this event could result in additional lawsuits in the future.” Governmental entities also have inquired about the breach and might launch investigations, the quarterly filing says without providing details.