Anatomy of a Breach

Anatomy of a Breach: Global Payments — 1.5 Million Cards and a Visa Delisting

> series: anatomy_of_a_breach —— part: 039 —— target: global_payments —— cards: 1,500,000 —— consequence: visa_delisted<span class="cursor-blink">_</span>_

Hedgehog Security 31 March 2012 11 min read
data-breach global-payments payment-cards pci-dss visa mastercard payment-processor series
Breach #039

1.5 million cards. Delisted by Visa.

In late March 2012, payment processor Global Payments disclosed that it had identified and self-reported unauthorised access to its processing system, resulting in the compromise of approximately 1.5 million payment card numbers. The breach had occurred between January and February 2012. Both Visa and MasterCard removed Global Payments from their lists of PCI DSS-compliant service providers — effectively banning the company from processing transactions for the two largest card networks until compliance could be re-established.

The breach was first reported by security journalist Brian Krebs, who noted the strong parallels with the Heartland Payment Systems breach of 2009 — another payment processor compromised through its transaction processing infrastructure. The financial impact to Global Payments included $94 million in breach-related costs, a 9% drop in share price on disclosure day, and the commercial damage of being publicly delisted by Visa. The breach reinforced that payment processors remain high-value targets — and that PCI DSS compliance at assessment time does not prevent breaches between assessments.

The Pattern
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Payment processors: the recurring target.

Global Payments was the third major payment processor breach covered in this series, following Heartland (130 million cards, 2008) and RBS WorldPay ($9 million stolen, 2008). The pattern is consistent: payment processors handle enormous volumes of card data in transit, making them a concentrated target. A single breach yields millions of card numbers without the need to compromise individual merchants.

PCI DSS Compliance ≠ Security
Global Payments was PCI DSS compliant at its last assessment. The breach occurred between assessments. As with Heartland, this demonstrates that compliance is a point-in-time snapshot, not a continuous guarantee. Our <a href="/penetration-testing/pci-dss">PCI DSS penetration testing</a> tests real-world exploitability, and <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the continuous monitoring between assessments.
Visa Delisting: Commercial Devastation
Being removed from Visa's compliant processor list is a commercial catastrophe for a payment processor. It signals to merchants and banks that the processor cannot be trusted with card data. The reputational and financial damage extended far beyond the $94 million in direct costs.
Market Impact: Immediate
Global Payments' share price dropped 9% on the day of disclosure. The market's immediate reaction reflected the commercial reality: payment processors that suffer breaches lose the trust that their entire business depends on.
Self-Reporting Mattered
Global Payments self-reported the breach — it was identified internally before external disclosure. This proactive approach, while not preventing the breach, demonstrated the value of internal monitoring and detection capabilities. Organisations with <a href="https://www.socinabox.co.uk">SOC monitoring</a> are more likely to identify breaches internally rather than learning about them from Visa or the press.
Lessons

Continuous testing, continuous monitoring.

The Global Payments breach reinforced the central lesson of every payment processor compromise in this series: annual PCI DSS assessment is necessary but not sufficient. Security requires continuous monitoring to detect breaches between assessments, regular penetration testing to identify new vulnerabilities as they emerge, and vulnerability scanning to maintain patching discipline.

For any organisation that processes, stores, or transmits payment card data — from merchants to processors — our PCI DSS penetration testing provides the assessment. Cyber Essentials establishes the baseline controls. SOC in a Box provides continuous monitoring. And UK Cyber Defence provides incident response when a breach is detected.

PCI DSS Security

Three payment processors breached in this series. All were PCI compliant. Have you tested beyond compliance?

Our <a href="/penetration-testing/pci-dss">PCI DSS penetration testing</a> goes beyond the compliance checkbox. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors between assessments.

Commission a PCI DSS Test Next: Anonymous vs UK Government
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2009

Anatomy of a Breach: Heartland Payment Systems — 130 Million Cards and a SQL Injection

The second instalment of our Anatomy of a Breach series. In 2008, attackers used a SQL injection vulnerability in an eight-year-old web form to breach Heartland Payment Systems, spending six months undetected before installing sniffers that captured 130 million payment card records — the largest card breach in history at the time.

data-breach heartland
14 min read
Anatomy of a Breach 30 September 2014

Anatomy of a Breach: Home Depot — 56 Million Cards Stolen Over Five Months via Custom POS Malware

Breach #069. In September 2014, Home Depot disclosed that attackers had compromised its payment systems and stolen approximately 56 million payment card numbers — plus 53 million email addresses — over a five-month period from April to September 2014. The attackers used a vendor's stolen credentials (echoing Target), deployed custom POS malware across self-checkout terminals in 2,200 US and Canadian stores, and remained undetected for five months. The breach ultimately cost Home Depot $179 million in settlements and remediation.

data-breach home-depot
13 min read
Anatomy of a Breach 30 November 2013

Anatomy of a Breach: Target — 110 Million Customers Compromised Through an HVAC Contractor

Breach #059. On 19 December 2013, Target Corporation disclosed that attackers had stolen the payment card data of approximately 40 million customers — later revised to include personal information for 70 million more, totalling 110 million affected individuals. The attackers had gained initial access through stolen credentials from Fazio Mechanical Services — Target's HVAC contractor — then moved laterally through the network to install card-skimming malware on point-of-sale systems across 1,797 stores. The supply chain breach that proved your security is only as strong as your air conditioning vendor.

data-breach target
14 min read
All Posts Get in Touch