Global Closes Breach Investigation

[Erica Absetz <erica () riskbasedsecurity com>]

http://www.bankinfosecurity.com/global-closes-breach-investigation-a-5684

Global Payments Inc., an Atlanta-based payments processor, says it is
closing its investigation of a data breach it discovered in March 2012
that exposed an estimated 1.5 million U.S. debit and credit cards.

The company also reports that a breach-related class-action lawsuit
filed in April 2012 was dismissed March 6. The lawsuit claimed the
processor had failed to maintain reasonable and adequate procedures to
protect cardholders' personally identifiable information.

In its earnings report for the quarter ended Feb. 28, the company says
its network and systems have been confirmed compliant and secure, and
that all lingering expenses linked to the breach have been paid.

"Global Payments Direct Inc., our primary operating entity, has been
returned to the list of PCI-DSS [Payment Card Industry Data Security
Standard] compliant service providers, and we have received reports on
compliance covering all of our systems that process, store, transmit
or otherwise utilize card data," the report states.

Reinstating a good PCI standing required investment, Global adds.

"As a result of this event, certain card networks removed us from
their list of PCI-DSS compliant service providers," Global says. "Our
work to remediate our systems and processes is complete. We hired a
Qualified Security Assessor, or QSA, to conduct an independent review
of the PCI-DSS compliance of our systems. Our QSA completed the
evaluation of our remediation work."

Breach Costs Less Than Expected

The processor now reports that expenses linked to the breach were
lower than what the company had previously estimated.

In January, Global estimated the 2012 breach would result in $93.9
million in expenses.

But the company has since determined that expenses associated with the
breach totaled $92.7 million, $8.3 million of which were recorded
during the nine months that ended Feb. 28.

"We based our initial estimate of fraud losses, fines and other
charges on our understanding of the rules and operating regulations
published by the networks and preliminary communications with the
networks," Global says. "We have now reached resolution with the
networks and made payments to certain networks, resulting in charges
that were less than our initial estimates."

Expenses included:

$77.1 million for the investigation and remediation, incentive
payments to business partners, and credit monitoring and ID theft
insurance provided to affected consumers.
$35.6 million for total fraud losses, including fines and other
charges imposed by the card brands.

But Global recuperated $20 million of its losses through insurance
recoveries, with $18 million of those recoveries recorded during first
quarter of fiscal 2013, the report states. "The three months ended
Feb. 28, 2013, resulted in a net credit of $1.2 million for total
processing system intrusion costs for the quarter," the company says
in its report.

As a result of those recoveries, Global says it reduced its accrual
for fraud losses, fines and other charges by $31.8 million during the
nine months ended Feb. 28.

So far, Global has not experienced a material revenue loss related to
the breach, but the company notes that the breach and related
remediation efforts could have a negative impact on future revenue.

The Breach

Global acknowledged its breach early in April 2012 after security
blogger Brian Krebs broke news about a hack that affected Global's
network.

In announcing the breach, Global's CEO Paul Garcia said the breach was
"manageable" and that Global was handling the investigation
internally.

Three separate card-issuing institutions provided BankInfoSecurity
with copies of advisories first issued by Visa and MasterCard,
confirming the breach occurred sometime between Jan. 21 and Feb. 25,
2012.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.