It appears that the card data security breach at card processor Global Payments Inc. may be a good deal larger than card issuers, including credit unions, may have expected.
Sources close to the ongoing situation report that independent forensic investigators set the initial date for the breach in late January 2011, a full year earlier than the firm had initially estimated.
The company had revealed in late March of this year that it has experienced a data security breach that it had discovered earlier that month. By April 1, the company had announced the breach had been contained.
The company declined to comment on the reports, saying it was not commenting on dates regarding the theft. The company has also not commented on how many cards might eventually be found to have been compromised in the theft, but the total number could surpass the total numbers of card accounts discovered stolen since January 2009 when Heartland Payments Systems revealed a 2008 breach that compromised millions of card accounts. Most of the members of the gang that had been involved in that breach and several other significant card thefts were eventually caught and leaders of the crime organization are serving sentences in federal prison.
Heartland paid tens of millions of dollars in fines to the major card brands and in negotiated payments to card issuers for part of their losses, though the card processor largely avoided any further legal damages in lawsuits from issuers, including credit unions.
The previous only bright spot in this breach–the observation that the 1.5 million estimated compromised accounts had not yielded much theft–also appears to be fading. Industry sources had speculated on background that these thieves may lack the sophisticated and efficient means the previous gang used for turning the stolen card data into cash, but as the pages of card alerts from the major card associations have continued to arrive, that hope has also faded.
CUNA Mutual Insurance, the firm which insures the bulk of credit union card programs, has alerted credit unions to the possibility of greater card losses from both card-present and card-not-present fraud since the Global Payments breach has been determined to have started on Jan. 30, 2011. The company has not previously made public a date for when the breach was supposed to have begun.
“Credit unions experiencing card fraud since January 2011, should review 'card-present' and 'card-not-present' fraud and confirm the fraud cases have been reported to the card associations” the insurer told covered credit unions. “This will assist the card associations in determining whether the fraud is tied to the Global Payments breach. Credit unions that have identified a common point of purchase should report it to the card associations.”
Since the company had acknowledged that data from the magnetic stripe had been stolen, credit unions had been warned to be aware of possible counterfeit card fraud, where thieves use the stolen magnetic stripe data to manufacture fake cards. But Ann Davidson, senior risk consultant with CUNA Mutual, said the company has also begun revealing that data from the CVV2 line had also been compromised, leaving the card accounts open to card-not-present theft. CVV2 data consists of the three digit code on the back of many credit cards that is meant to prove that the card is actually used in situations where it cannot be swiped, such as over the Internet.