It appears that the card data security breach at card processorGlobal Payments Inc. may be a good deal larger than card issuers,including credit unions, may have expected.

Sources close to the ongoing situation report that independentforensic investigators set the initial date for the breach in lateJanuary 2011, a full year earlier than the firm had initiallyestimated.

The company had revealed in late March of this year that it hasexperienced a data security breach that it had discovered earlierthat month. By April 1, the company had announced the breach hadbeen contained.

The company declined to comment on the reports, saying it wasnot commenting on dates regarding the theft. The company has alsonot commented on how many cards might eventually be found to havebeen compromised in the theft, but the total number could surpassthe total numbers of card accounts discovered stolen since January2009 when Heartland Payments Systems revealed a 2008 breach thatcompromised millions of card accounts. Most of the members of thegang that had been involved in that breach and several othersignificant card thefts were eventually caught and leaders of thecrime organization are serving sentences in federal prison.

Heartland paid tens of millions of dollars in fines to the majorcard brands and in negotiated payments to card issuers for part oftheir losses, though the card processor largely avoided any furtherlegal damages in lawsuits from issuers, including creditunions.

The previous only bright spot in this breach–the observationthat the 1.5 million estimated compromised accounts had not yieldedmuch theft–also appears to be fading. Industry sources hadspeculated on background that these thieves may lack thesophisticated and efficient means the previous gang used forturning the stolen card data into cash, but as the pages of cardalerts from the major card associations have continued to arrive,that hope has also faded.

CUNA Mutual Insurance, the firm which insures the bulk ofcredit union card programs, has alerted credit unions to thepossibility of greater card losses from both card-present andcard-not-present fraud since the Global Payments breach has beendetermined to have started on Jan. 30, 2011. The company has notpreviously made public a date for when the breach was supposed tohave begun.

“Credit unions experiencing card fraud since January 2011,should review 'card-present' and 'card-not-present' fraud andconfirm the fraud cases have been reported to the cardassociations” the insurer told covered credit unions. “This willassist the card associations in determining whether the fraud istied to the Global Payments breach. Credit unions that haveidentified a common point of purchase should report it to the cardassociations.”

Since the company had acknowledged that data from the magneticstripe had been stolen, credit unions had been warned to be awareof possible counterfeit card fraud, where thieves use the stolenmagnetic stripe data to manufacture fake cards. But Ann Davidson,senior risk consultant with CUNA Mutual, said the company has alsobegun revealing that data from the CVV2 line had also beencompromised, leaving the card accounts open to card-not-presenttheft. CVV2 data consists of the three digit code on the back ofmany credit cards that is meant to prove that the card is actuallyused in situations where it cannot be swiped, such as over theInternet.