1.5 Million Card Numbers at Risk From Hack

April 3, 2014

By Julianne Pepitone @CNNMoneyTech

NEW YORK (CNNMoney) - A data breach at a payments processing firm has potentially compromised up to 1.5 million credit and debit card numbers from all of the major card brands.

Global Payments, a company that processes card transactions, confirmed late that "card data may have been accessed." The company said it discovered the intrusion in early March and "promptly" notified others in the industry.

Global Payments released a statement late Sunday with more details, saying that while more than 1 million card numbers may have been compromised, cardholder names, addresses and Social Security numbers were not affected.

That's a sizeable breach, but it's far less than the worst-case-scenario numbers flying around on Friday -- and it affects just a small fraction of the estimated 1 billion debit and credit cards in circulation in the U.S.

Global Payments did not say which card companies were affected, but Visa released a statement on Friday saying that it was all of the big players.

That's because Global Payments is one link in the long chain involved in card transactions. When a customer swipes a credit card, the data is sent to a payment processor like Global Payments, which coordinates the steps involved in authorizing the charge and submitting the transaction details to card networks like Visa and MasterCard.

MasterCard (MA, Fortune 500) says it has alerted payment card issuers "regarding certain MasterCard accounts that are potentially at risk." Discover (DFS, Fortune 500) and American Express (AXP, Fortune 500) say they are monitoring the situation.

Late Sunday, Visa (V, Fortune 500) spokeswoman Sandra Chu confirmed to CNN that Visa had removed Global Payments from its list of preferred credit-card processors. Global Payments said that it can still process transactions, but it will have to pay higher fees to do so.

Global Payments held a conference call Monday morning to provide more details on the debacle. Executives stressed that an investigation is ongoing. Until that is complete, they're holding off on going into specifics on how the hack happened.

Still, Global Payments said the breach was limited to only "a handful of servers," and it appears to be confined to accounts in North America. The company's CEO, Paul Garcia, said it was working with its customers closely to contain the damage.

"These are thieves; these are bad guys. These are people who want to hurt all of us," Garcia said during the call. "We're working together on it."

Global Payments CFO David Mangum brushed off several analyst questions about the potential hit to the company's profits -- and its reputation.

"Obviously, this was not in our expectations for the year," he said. "We'll wrap up liability in one conversation, when we can," Mangum repeated on the call.

For customers, the best thing to do is sit tight. If your card issuer thinks your account may have been compromised, they'll contact you -- and no matter what, you're not liable for unauthorized charges made on your account.