March ended on a sour cyber security note as Visa and MasterCard reported a data breach at a firm processing card transactions. The breach, at Atlanta-based Global Payments, took place between late January and late February, and may have compromised more than 10 million accounts.
According to the card issuer reports, "full Track 1 and Track 2 data" was stolen. Translated into English, this means that the thieves have sufficient information to make counterfeit duplicate cards. According to the blog Krebs on Security, fraudulent transactions have been detected – so far – on 876 individual accounts.
Reportage of this breach offers a few insights into cyber-crime. It is not just about shadowy Eastern European masterminds. Transaction patterns on the compromised accounts suggest that the breach occurred at New York City area parking garages. Law enforcement sources suggest links to Dominican street gangs. You don't need a genius hacker to suborn, intimidate – or merely distract – a parking-garage attendent.
And the lesson for firms is that you can't simply rely on the payment card industry and assume that everything will be safe and secure. There is no evidence that the card issuers, Global Payments, or the parking garage operators did anything wrong. But hairline cracks in the system still compromised 10 million accounts.