1.5 million card numbers at risk from hack

@CNNMoneyTech April 3, 2012: 11:29 AM ET

NEW YORK (CNNMoney) -- A data breach at a payments processing firm has potentially compromised up to 1.5 million credit and debit card numbers from all of the major card brands.

Global Payments, a company that processes card transactions, confirmed late Friday that "card data may have been accessed." The company said it discovered the intrusion in early March and "promptly" notified others in the industry.

Global Payments released a statement late Sunday with more details, saying that while more than 1 million card numbers may have been compromised, cardholder names, addresses and Social Security numbers were not affected.

That's a sizeable breach, but it's far less than the worst-case-scenario numbers flying around on Friday -- and it affects just a small fraction of the estimated 1 billion debit and credit cards in circulation in the U.S.

Global Payments did not say which card companies were affected, but Visa released a statement on Friday saying that it was all of the big players.

That's because Global Payments is one link in the long chain involved in card transactions. When a customer swipes a credit card, the data is sent to a payment processor like Global Payments, which coordinates the steps involved in authorizing the charge and submitting the transaction details to card networks like Visa and MasterCard.

MasterCard (MA, Fortune 500) says it has alerted payment card issuers "regarding certain MasterCard accounts that are potentially at risk." Discover (DFS, Fortune 500) and American Express (AXP, Fortune 500) say they are monitoring the situation.

Late Sunday, Visa (V, Fortune 500) spokeswoman Sandra Chu confirmed to CNN that Visa had removed Global Payments from its list of preferred credit-card processors. Global Payments said that it can still process transactions, but it will have to pay higher fees to do so.

Global Payments held a conference call Monday morning to provide more details on the debacle. Executives stressed that an investigation is ongoing. Until that is complete, they're holding off on going into specifics on how the hack happened.

Still, Global Payments said the breach was limited to only "a handful of servers," and it appears to be confined to accounts in North America. The company's CEO, Paul Garcia, said it was working with its customers closely to contain the damage.

"These are thieves; these are bad guys. These are people who want to hurt all of us," Garcia said during the call. "We're working together on it."

Global Payments CFO David Mangum brushed off several analyst questions about the potential hit to the company's profits -- and its reputation.

"Obviously, this was not in our expectations for the year," he said. "We'll wrap up liability in one conversation, when we can," Mangum repeated on the call.

For customers, the best thing to do is sit tight. If your card issuer thinks your account may have been compromised, they'll contact you -- and no matter what, you're not liable for unauthorized charges made on your account.

Related story: What to do if your card is hacked

On Saturday, a U.S. Secret Service spokesman said the agency is also investigating the incident.

Global Payments's wide reach: Global Payments' Garcia insisted his company will pull through, but it's already suffering fallout. Global Payments' (GPN) stock fell 9% Friday before trading was halted midday; it did not resume before the market closed.

The stock began trading again on Monday, and it closed the day down 3.7%.

Global Payments processed $167 billion worth of transactions in its last fiscal year, which ended May 31, 2011. The company specializing in serving small merchants, like mom-and-pop businesses and local retailers.

When payment processors get hacked, the shrapnel can spread far. The record holder for the largest-ever breach is believed to be a 2008 attack on Heartland Payment Systems (HPY), in which an estimated 130 million customer accounts were compromised.

Heartland eventually paid more than $110 million to Visa, MasterCard, American Express and other card associations to settle claims related to the breach.

In data breach situations, credit card companies generally offer affected customers fraud monitoring services at no cost -- and customers aren't on the hook for any fraudulent charges. Someone further up the chain -- the card issuer, or sometimes the merchant -- is responsible for those costs.

"Our merchants and our customers understand that this will make us even stronger," Global Payments' Garcia said on Monday's call. "'Business as usual' sounds a little trite, but that's what we're trying to get to." To top of page

Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.