A company that processes credit card transactions said Monday that as many as 1.5 million card numbers were compromised in a data breach early last month.
The CEO of the company, Global Payments Inc., said the matter was "absolutely contained," but Visa dropped the company from its list of approved third parties that process transactions between stores and banks.
The breach was revealed Friday when Visa and MasterCard said they had notified issuers of its credit cards. On Monday, American Express said it may have been affected, and Discover promised to reissue cards where appropriate.
Global Payments set up a website to help cardholders but did not provide the names of affected stores or banks. Its stock fell 4.5 percent on Monday. It fell 9 percent Friday before trading was stopped.
Global Payments CEO Paul Garcia said card numbers were compromised but cardholder names, addresses and Social Security numbers were not. He said the company was working with law enforcement.
Besides processing cards in the U.S., Global Payments provides its services to government agencies, businesses and others in Canada, Europe and the Asia-Pacific region.
Global Payments reported financial results Monday and said profits rose 20 percent to $58 million from December through February compared with the year before. It did not estimate what it would lose because of the breach.
The breach appeared to be one of the largest in the past several years. Last June, hackers stole information for 360,000 credit card accounts at Citigroup. In the past year, there have been attacks against the International Monetary Fund, National Public Radio, Google and Sony's PlayStation Network.
When hackers get consumer information, they can use it to mine data from the Web about those people. That makes it easier to send targeted emails that mimic messages from the bank _ a process known as spear phishing _ in hopes of getting customers to divulge more valuable information.
Data breaches and hacking affect as many as 8 million Americans each year, costing billions of dollars and countless hours to correct the problems it creates.
Yaron Samid, CEO of Bill Guard, a company that specializes in personal-finance security, said that hackers who have credit card data try to sell the information on the black market. He said hackers can use small transactions to confirm that a credit card is active before they charge larger amounts.
Forty-six states require businesses to notify customers of a data breach when personal information has been placed at risk. Consumers who received a breach notification last year were almost 10 times more likely to be fraud victims than those who did not, according to Javelin, a research company.
Associated Press writers Candice Choi, Eileen AJ Connelly, and AP Television's Luke Sheridan contributed to this report. Pallavi Gogoi can be reached at http://twitter.com/pgogoi.
Global Payments breach information: http://www.2012infosecurityupdate.com
Resources from the Consumer Federation of America: http://www.idtheftinfo.org.
Personal credit reports: http://www.annualcreditreport.com.