Amid the details surrounding last week's disclosure of the massive credit card breach at Global Payments Inc., an incident which left at least 1.5 million Visa and MasterCard customers at risk, security researchers have noticed some discrepancies that call into question the validity of what the affected companies have admitted to.
Cybersecurity researcher Brian Krebs, who broke the story last week, said that the timeline outlined by Global Payments of what was stolen, and when, does not sync with that of MasterCard and Visa.
(Visa pulled its seal of approval for Global Payments yesterday (April 1), and has asked the Atlanta-based payment processor to revalidate its compliance processes.)
In their initial incident report to banks on March 30, Visa and MasterCard said the breach at Global Payments (at the time, Global Payments had not been identified as the victim) occurred between Jan. 21 and Feb. 25, and that full Track 1 and Track 2 data was stolen — enough information to counterfeit new credit cards.
However, in a statement issued the same day, Global Payments said it detected the breach "in early March 2012," and that only Track 2 data "may have been stolen, but that cardholder names, addresses and social security numbers were not obtained by the criminals," Krebs wrote in his KrebsonSecurity blog.
Also, Global Payments said its own security systems identified the breach. Krebs and financial security expert Avivah Litan never said who initially found the breach; they seem to have issues with Global Payments' claim that it did, but they don't explain why.
"The apparent discrepancy over the timeline of the Global Payments breach and the means by which it was discovered and reported leaves several unanswered questions," Krebs wrote. "Was the initial alert by Visa and MasterCard that prompted this story related to a separate breach? If so, was Global Payments involved?"
Litan echoed Krebs' concern. In a post on the website of her company, information technology research firm Gartner, Inc., Litan said that following a phone call with Global Payments, "their breach seems to be very different than the one Visa issued an alert on."
"Sounds like there's a lot more going on out there than the payment industry and law enforcement have nailed down and are prepared to talk about," she wrote.
The story may be far from over. In a tweet sent out on the morning of April 2 at 7:30 a.m. (EST), Krebs wrote, "Hackers who tell me they've been inside of Global Payments since early 2011 have what appears to be GPN's internal disaster recovery plan."
Related on SecurityNewsDaily:
Copyright 2012 SecurityNewsDaily, a TechMediaNetwork company. All rights reserved.