MasterCard and Visa announced on March 30 that they had suffered a data breach at a processor that may have resulted in more than 10 million compromised credit and debit-card numbers

 

On his KrebsonSecurity blog, noted cybersecurity researcher Brian Krebs said the breach occurred between Jan. 21 and Feb. 25. In warnings to banks across the country, Visa and MasterCard said full Track 1 and Track 2 data was stolen, "meaning that the information could be used to counterfeit new cards," Krebs said.

 

(Data on Tracks 1 and 2 on magnetic-stripe cards include a cardholder's name and account number, as well as information that is read by ATM and credit-card processing machines, including the card's expiration date, security-verification code and encrypted PIN.)

 

Global Payments, Inc., confirmed to Krebs that it had been breached. And The Wall Street Journal reported that the third-party entity was the Atlanta-based payment processor.

 

"In early March 2012, the company determined card data may have been accessed," the company's statement read in part. "It immediately engaged external experts in information technology forensics and contacted federal law enforcement. The company promptly notified appropriate industry parties to allow them to minimize potential cardholder impact. The company is continuing its investigation into this matter."

 

Krebs' sources in the financial sector called the breach "massive" and said it may involve more than 10 million compromised credit card numbers. Many of the cards had been used "in parking garages in and around the New York City area."

 

Krebs updated his blog posting later on the morning of March 30, before the actual announcement, to include confirmation from Visa, which stressed that the possible breach was at a "third party entity affecting card account information from all major card brands."

 

On March 28, Public Service Credit Union (PSCU), a group that provides online financial services to credit unions, alerted 482 credit unions impacted by the breach, Krebs said. A total of 56,455 members' Visa and MasterCard accounts were compromised, the PSCU said, and fraudulent activity was detected on 876 accounts.

 

MSNBC and FoxNews.com received confirmation from MasterCard that the company was "currently investigating a potential account data compromise event of a U.S.-based entity" and that the breach was "the subject of an ongoing forensic review by an independent data security organization."

 

Both Krebs and financial-security expert Avivah Litan heard from sources that the breach was tied to a Latino gang — Krebs called the gang "Dominican," Litan "Central American" — operating in the New York area.

 

Litan said the gang may have broken into computers at a New York taxi-and-parking company, adding that "if you’ve paid a NYC cab in the last few months with your credit or debit card — be sure to check your card statements for possible fraud."

 

It is not known how many individual cards were compromised. Visa and MasterCard did not return calls for comment from SecurityNewsDaily.

 

Related on SecurityNewsDaily:

Copyright 2012 SecurityNewsDaily, a TechMediaNetwork company. All rights reserved.