A US payments processing company has admitted that it was hacked and that credit card numbers were accessed, although it says the number cards compromised is far lower that first report.
The Global Payments breach was first reported by security blogger Brian Krebs last week. Krebs revealed that credit card giants VISA and Mastercard had issued non-public alerts warning that a US card processor had been compromised between January 21 and January 25 this year.
Krebs cited ‘sources in the financial sector’ as saying that as many as 10 million credit cards might have been affected.
Over the weekend, Global Payments confirmed that it had been compromised but insisted that the fewer than 1.5 million cards were affected.
It also denied that any Track 1 data, the information stored in the the top half of a card’s magnetic strip that includes the name of the card holder, was compromised.
"Based on the forensic analysis to date, network monitoring and additional security measures, the company believes that this incident is contained," Global Payments wrote in a statement on their website.
This morning, a Visa spokesperson said it had removed Global Payments from its list of PCI DSS providers, the minimum global security standard for the payments industry.
Gartner’s fraud analyst, Avivah Litan, wrote in a blog post that the news "sheds light on the fact that knowledge based authentication should not be relied upon".
"I heard (and this may not be factual) that the crime was perpetrated by a Central American gang that broke into the company’s system by answering the application’s knowledge based authentication questions correctly," she wrote. "Looks like the hackers took over an administrative account that was not protected sufficiently."