The U.S. Secret Service is investigating a major cyber intrusion at an Atlanta-based payment processor that could expose millions of MasterCard, Visa, American Express and Discover cardholders to fraudulent charges.
Processor Global Payments Inc said on Friday it had found "unauthorized access" into its system early in March and notified law enforcement and financial institutions.
Payment network operators MasterCard Inc, Visa Inc, American Express Co and Discover Financial Services confirmed they were affected, along with banks and other franchises that issue cards bearing their logos.
A spokesman for the Secret Service said the agency is leading investigations into the case but declined to give any details.
Though Global Payments is far from a household name, middlemen such as the company are prized targets for hackers because of the vast amount of sensitive financial information they handle.
The company's stock fell more than 9 percent on the news before trading was halted. It said it would discuss the breach in a phone call for investors on Monday.
It was not immediately clear how Global Payments was penetrated or how many accounts were exposed. Consumers who detect fraud usually can be reimbursed. That leaves merchants on the hook financially, though they could file claims against Global Payments.
Analysts said MasterCard and Visa are unlikely to face costs from the breach, but MasterCard shares fell 1.8 percent to close at $420.54 and Visa shares dropped 0.8 percent to $118.
The security breach is just the latest in a long string of incidents that have put the personal information of millions of credit and debit cardholders at risk.
Individual banks and processors said they had not yet determined the full extent of the breach, but the blog Krebs on Security, which first reported the breach, said it was "massive" and could affect more than 10 million cardholders.
Some industry experts suggested the figure might be much lower, perhaps on the order of tens of thousands. Bernstein Research analyst Rod Bourgeois noted that Global Payments is a relatively small player in the transactions services industry, servicing 800,000 merchants with a 3.5 percent market share. By contrast, the largest competitor, First Data, services millions of merchants, with 22.6 percent of the market.
JPMorgan Chase & Co, as well as American Express and Discover, which issue their own cards, said they are monitoring customers' accounts and would issue new cards to anyone whose information may have been compromised.
Citigroup Inc said it has been notified by processors of the breach. Bank of America Corp declined to comment on the matter and Wells Fargo & Co said it was too early to comment on the impact.
Banks and processors emphasized customers would not be held liable for any fraudulent charges that may occur.
Michael Simonsen, chief executive of real-estate research company Altos Research, said he may have been a victim.
Simonsen said he was contacted by Bank of America last week about his Visa card. Although there were no unauthorized transactions, the representative told him a vendor or law enforcement agency had flagged his account as compromised and so he would receive a new one.
"It was very unusual," he said. (Reuters)