'Massive' data breach at Visa, MasterCard

Third-party payment-processing service company breached, compromised at least 50,000 accounts

Visa and MasterCard have confirmed reports from earlier this morning of what analysts call a "massive" data breach at a third-party company both employ to process credit and debit cards for banks and stores.

Visa and MasterCard sent confidential warnings late last week to banks holding cards that may have been compromised in attacks between Jan. 21 and Feb. 25 of this year, according to Krebs on Security, which broke the news this morning.

There is no indication of how the breach happened or consistent reports of its scope.

Krebs reports sources estimating as many as 10 million accounts may be affected, though the damage so far is limited. One service company notified 482 credit unions that are its clients that a total of 56,000 cards were compromised, but that only 876 of the accounts have shown any fraudulent activity, Krebs reported.

The Wall Street Journal put a name on the victim of the breach at 12:15 this afternoon: According to the WSJ update, Atlanta-based Global Payments, Inc. lost data that could compromise the accounts of

50,000 Visa and MasterCard holders.

Global Payments didn't respond to the WSJ, but did put an alert on its home page warning customers that any emails requesting customer passwords or login credentials is likely to be fake.

The alert links to a page with a generic warning that unnamed individuals may use the company's name to try to defraud customers, but doesn't mention the data breach or any other reason customers should be unusually wary.

Earlier this morning Visa issued a statement acknowledging a breach, but offering few details:

"Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands. There has been no breach of Visa systems, including its core processing network VisaNet."

The Credit Union National Association also confirmed the breach, reporting that ELGA credit union in Burton, Mich. saw 450 accounts compromised in the network of an unnamed retailer card-processing center.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies