The big data breach suffered by payment processor Global Payments has been all over the news and we haven’t covered it so far simply because there wasn’t anything we could have added to the discussion. There will now be a long and hugely expensive clean-up process to get things back to normal and I can only hope that everyone involved — the cardholders, the merchants, Global Payments, the card companies and networks — will get through it with as little damage as possible.
It was a huge event, though, affecting about 1.5 million cards and I felt that I had to say a few words about what the damage was and what the fraudsters actually can do with the stolen data. From what we know, the criminals may not have managed to gain access of enough data to do real damage, but we don’t know the whole story yet. Still, we know enough to examine the possibilities and some of them are quite scary.
What the Criminals Stole from Global Payments
Let’s begin by assessing the damage. Here is what we learn from Global Payments’ website:
The company believes the affected portion of our processing system is confined to North America, and less than 1.5 million card numbers may have been exported. The investigation to date has revealed that Track 2 data may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals.
Track 2 data include the primary account number, the expiration date and some other pieces of information, but not the SSN and the card security code and cannot contain alphabetic text, so the cardholder’s name and address is also safe. Track 1 is the only location on the card’s magnetic stripe that can contain alphabetic characters and so that’s where the cardholder’s name is stored. And, from what the processor has released, Track 1 data were not stolen.
What the Criminals Can Do with Their Loot
Now that we know what was stolen, the question becomes what the fraudsters can do with the compromised data. Well, as you can see, the criminals have not managed to obtain enough account information to be able to process fraudulent transactions. In order to do so, at the very least they would also need the cardholders’ names. Now, if they had collected the email addresses of their victims, the criminals could have launched a large-scale phishing attack to attempt to trick the cardholders into revealing their names. We don’t know whether or not any email addresses have been compromised, but let’s assume that they have and see where that would take us.
If they had managed to collect the names of their victims, the criminals could have proceeded to encode the stolen data into counterfeit cards that could then be used in fraudulent transactions. And four years ago we saw just what a well-organized criminal group armed with thousands of counterfeit cards can do with them.
Back in 2008, hackers managed to penetrate the files of RBS Worldpay, the U.S. payment processing subsidiary of the Royal Bank of Scotland, and stole card data of 1.5 million cardholders. So the magnitude of the RBS breach was precisely the same as the one of the Global Payments event.
Crucially, however, the RBS hackers had all the data they needed to produce counterfeit cards and they got busy doing just that. But that was not all they did. While some of the criminals were manufacturing the fake cards, others entered RBS’s computer systems and started increasing the available funds on the accounts (in some cases to no less than $500,000), as well as the ATM withdrawal limits. Only then were the criminals ready to cash in. In less than twelve hours, they managed to withdraw $9.5 million from some 2,100 ATMs in 280 cities. While the heist was under way, some of the hackers were still logged into RBS’s system where they were monitoring the withdrawals and, once the operation was over, attempted to erase their tracks.
Again, we don’t know whether any email addresses were compromised during the Global Payments breach and we have even less knowledge about whether the hackers have managed to obtain any of the cardholders’ names. But if they have, the above Hollywood-like real-life story shows you what could be done with the stolen information.
The RBS criminals were eventually caught, as will probably be the case with the Global Payments hackers, but the damage caused by such events is huge. The good news for cardholders is that they are fully protected against fraudulent transactions, so they will not lose anything. The merchants may also be able to get off scot-free, if no fraudulent transactions stemming from the incident are processed.
But there is no such good news for the processor who will end up footing a huge clean-up bill, whether or not the compromised data are put to use by the criminals. Moreover, Visa has now dropped Global Payments from its list of providers that are compliant with its data security standards. It will be a long climb out of this hole for the processor.
Image credit: Teamshatter.com.