Global Payments, one of the biggest processors of electronic transactions in the world, reported in March that it had detected "unauthorized access into a portion of its processing system". The company subsequently reported that its investigation into the incident found "potential unauthorized access to servers containing personal information collected from a subset of merchant applicants."
The company has estimated that personal data from up to 1.5 million card numbers was stolen from its systems, with the information relating to North American card holders. In reporting its fourth-quarter and year-end earnings Global Payments said that the breach had cost it $84.4m before tax.
"This charge includes an estimate of charges from the card brands and investigation and remediation expenses," Global Payments said in a statement.
The company has said that evidence uncovered from its investigations suggest 'track 2' card data may have been stolen but that "cardholder names, addresses and social security numbers were not obtained by the criminals."
Track 2 card data refers to information recorded in a standardised format on payment cards that is read by ATMs and other processing systems in order to make transactions. It includes information such as the cardholders' account number, card expiration date and card verification numbers.
According to the Payment Card Industry Security Standards Council (PCISSC), companies can store some track 2 card data but are "prohibited" from storing "sensitive authentication data" contained within that information.
"This data is very valuable to malicious individuals as it allows them to generate fake payment cards and create fraudulent transactions," according to PCISSC guidance. "Full track data storage also violates the payment brands' operating regulations and can lead to fines and penalties."
Global Payments previously said that on becoming aware of the data breach it had "immediately engaged external experts in information technology forensics and contacted federal law enforcement" and that it had "promptly notified appropriate industry parties to allow them to minimise potential cardholder impact."
In June it said it would "make available credit monitoring and identity protection insurance at no cost" to those who may have had personal data stolen or viewed by criminals that had accessed its systems.
"A qualified security assessor is conducting the independent review required to return the company to the lists of PCI compliant service providers," the company's year-end earnings statement said.
Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said that the costs of a single security incident can easily reach the millions.
"Card scheme fines, providing replacement cards to customers, root cause analysis, system fixes, and PR expenses, amongst others, all need to be factored in," he said. "Even without a security incident occurring, businesses that process cards can be fined monthly for non-compliance with the PCI Data Security Standard (DSS). However, if an incident does occur, given that the costs could push a business into making an operating loss or even becoming insolvent, cyber insurance and contingency plans can be essential."
"Just as importantly, it needs to be recognised that PCI DSS compliance is not only an in-house affair. Merchants are responsible for ensuring that external providers that touch card transaction data are also compliant and have risk management measures in place. This is all too often overlooked, and can be challenging to resolve with incumbent providers. It is, however, essential to have compliance obligations in writing with providers – this should allow clear recourse if an incident occurs, which can help to spread the costs," McFadyen said.