Global Payments is reporting that the recent unauthorized access into the company's processing systems may have also exposed sensitive data the company stores about participating merchants.
Previously, the company had revealed that as many as 1.5 million payment cards had been compromised in a network breach in late March. Global Payments itself discovered the intrusion and disclosed the breach on April 2nd, and the company subsequently had its PCI compliant status revoked.
The ongoing investigation into the security lapse has uncovered evidence that the breach may also have included the exposure of merchant records.
"The Company's ongoing investigation recently revealed potential unauthorized access to servers containing personal information collected from a subset of merchant applicants," Global Payments revealed in a press release.
Global Payments is known to store personal information on its merchant business partners, including Social Security numbers, drivers license numbers, bank account details, and more.
"It is unclear whether the intruders looked at or took any personal information from the Company's systems; however, the Company will notify potentially-affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost. The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the Company's U.S. merchant applicants," the company explained.
So far, the investigation has not uncovered evidence that the exposure of consumer payment card information is any greater than the company had previously estimated.
"Based on the investigation to date, the Company continues to believe that a limited portion of its North American card processing system was affected. As discussed in our earlier announcement, the Company's continuing forensic investigation confirms that actual card numbers that may have been exported did not exceed 1,500,000," the press release explains.
Given the severity of the breach and the number of compromised accounts, Global Payments has also notified the card issuers of an undisclosed number of accounts that may also be at risk.
"The Company has, however, provided a larger quantity of card numbers to industry brands to enable them to proactively monitor cardholder activity. The evidence continues to indicate that the potential card exportation was limited to Track 2 data," the press release continued.
Track 2 data includes the card numbers and details that criminals could utilize in the manufacture of counterfeit or "clone" cards, but does not include any personally identifiable information like the exposed merchant data may.
The company is confident the intrusion has been successfully halted, and the company indicates they continue to make efforts to mitigate further risks of exposure.
"The Company believes that this incident is contained. The Company has made substantial progress in its investigation and remediation efforts and plans to provide additional information regarding the potential financial impact, the PCI compliance process and the status of the investigation not later than its July 26, 2012 year-end earnings call," the payment processor stated.
In comparison to corporate responses in many high profile breaches, Global Payments should be acknowledged for having promptly reported the intrusion, and for their continued efforts to keep consumers and other interest groups informed.
"We sincerely apologize for this incident and are working diligently to conclude our investigation. We are committed to fully resolve any issues arising from this matter and we, of course, continue to provide uninterrupted transaction processing for our customers worldwide," said Paul R. Garcia, Chairman and CEO of Global Payments.