A major payment processer suspects the fallout from a recent security breach may be worse than it initially believed.
Global Payments Inc. raised the red flag Tuesday, more than two months after it first reported that computer hackers may have heisted data from as many as 1.5 million credit and debit card accounts in North America. At that point, the company had concluded that the crooks hadn't taken anybody's name, address or Social Security numbers _ essential elements for obtaining a credit card under a stolen identify.
But after its investigators dug deeper into the intrusion, Global Payments discovered that the bandits also may have pried into computers storing the personal information of various merchants applying to have their sales processed. Besides names, addresses, and Social Security numbers, Global Payments also stores the drivers' license numbers and banking account numbers of merchants, according to the company's regulatory filings.
"It is unclear whether the intruders looked at or took any personal information from the company's system," Global Payments said in a statement Tuesday.
The company, which is based in Atlanta, said it still doesn't believe any personal information was taken from the up to 1.5 million card accounts cited in its original report of the theft. The data taken from the cards is believed to be mostly account numbers, expiration dates and security codes.
As an additional precaution, Global Payments said it alerted card issuers about more than 1.5 million potentially affected accounts so they can be on the lookout for suspicious activity.
Other key details remain murky because Global Payments still hasn't identified the merchants and banks entangled in the mess, nor estimated how many people may now be vulnerable to identify theft. The company still isn't projecting its potential losses from the security breakdown, leaving its shareholders in the dark, too.
"I am sorry I am not more forthcoming on this, but this is still evolving as we speak," Global Payments CEO Paul Garcia said in a conference call late Tuesday.
Reiterating earlier statements, Global Payments said it believes "this incident is contained."
Global Payments already has alerted banks about the additional risks and plans to send notices to people whose information may have been compromised. The company plans to pay for credit monitoring and identity protection insurance for everyone whose personal information may have been taken.
"We are going to do the right thing, period," Garcia pledged.
The company expects to have a better handle on how much the hacking will cost by July 26 when it is scheduled to report its fiscal fourth-quarter earnings. So far, Global Payments says there have been no fraudulent charges tied to the breach.
But some damage already has been done to the company, which earned $209 million on revenue of $1.86 billion in its last fiscal year.
After the breach, both Visa Inc. and MasterCard Inc. removed Global Payments from their lists of third-party vendors that meet the payment processing industry's security standards.
The financial uncertainty facing Global Payments has contributed to a 19 percent decline in the company's stock price since news of the breach broke. Global Payments' shares shed 24 cents in Tuesday's extended trading after finishing the regular session at $42.19.