In March 2012, Global Payments was forced to acknowledge that a breach had occurred, but the devil is in the details. Transparency is the last word that anyone would use to describe this massive breach, and for good reason. While MasterCard and Visa alerted issuers of the processor breach, asserting that it began in 2011 and involved the potential compromise of 10 million payment cards, official details of the event have been heavily obfuscated – it’s as though George Orwell had coached their PR firm. As a result, there are a number of questions for which we don’t have a clear answer:

  • How did it happen?
  • What type of data was compromised?
  • How many cards were involved?
  • Who was responsible?

Questions as to how the breach occurred revolve around the means of entry and how the data was gleaned. How hackers gained access remains open to debate, but there has been speculation that a system administrator account was compromised when knowledge based authentication was overcome. More may be understood about the data that was gleaned by examining Global Payments’ assertions and potential motivations. Some of the answers that we actually have may not be apocalyptic, but what they portend isn’t pretty. As an example, if Global Payments’ assertion that 1.5 million cards were compromised is accurate, Javelin estimates that 428,000 cases of fraud are likely to occur as a result.

Global Payments Data Breach Fraud Impact Summary

Number of Fraud Cases 428,000
Fraud $ Amount 708,000,000
Consumer Cost (average) $355 per consumer
Resolution Hours (total) 4,906,000

© 2013 Javelin Strategy & Research

Retailers, financial institutions, and consumers can benefit from greater clarity than has been displayed thus far, as they will bear the burden of any resulting crimes.  This misuse of data from this breach will affect $708 million in identity fraud and consumers will spend nearly 5 million hours resolving these cases. Clearly answering the big questions will empower issuers to accurately assess the risk to their customers, retailers to determine if the incident is likely to reoccur, and consumers to identify the degree of protection that they should secure for themselves. Compliance with existing guidelines must be met, complimented by improved protocols, if there is to be any success in rebuffing the efforts of capable, financially motivated criminals.

Javelin will attempt to shine a light on this and other breaches by applying our research on the relationship between data breaches and fraud, in the upcoming Data Breach Fraud Impact Report. Compromised card data typically represents easy money for criminals, being used or sold in minutes for a quick profit – what we need now are the hard answers that will make it more difficult for them to succeed.