Credit card processor Global Payments said today that in the course of investigating the theft of 1.5 million credit card numbers, it has discovered that hackers may also have stolen consumer data from servers.
"Our ongoing investigation recently revealed potential unauthorized access to personal information collected from a subset of merchant applicants," the company said in a statement on its Web site.
"It is unclear whether the intruders looked at or took any personal information from the company's systems; however, the company will notify potentially-affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost," the statement said. "The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the company's U.S. merchant applicants."
The company did not say in its statement exactly what type of consumer information may have been exposed or how many people may have been affected. Spokeswoman Amy Corn told CNET that she could not say anything beyond what is in the statement, but she said a replay of a shareholder's conference call from earlier today will be available here.
Global Payments confirmed in April that as many as 1.5 million Visa and MasterCard accounts may have been compromised by a breach that happened at some unknown time in the past.
"Based on the investigation to date, we continue to believe that a limited portion of our North American card processing system was affected, actual card numbers that may have been exported did not exceed 1,500,000 and any potential card exportation was limited to Track 2 data," the company statement said. Track 2 data includes account number and expiration date in the magnetic stripe but does not include names, addresses or Social Security numbers.
"We believe this incident is contained," the company said about the breach pertaining to the theft of credit card numbers.
As a result of the problems, Visa and MasterCard removed Global Payments from their list of PCI (Payment Card Industry) compliant service providers. The processing firm is trying to get its PCI status revalidated and has hired a security assessor to do an independent review of its systems.
"We sincerely apologize for this incident and are working diligently to conclude our investigation," Chairman and CEO Paul R. Garcia said in the statement. "We are committed to fully resolve any issues arising from this matter and we, of course, continue to provide uninterrupted transaction processing for our customers worldwide."
The significant breach was initially reported by the Krebs on Security blog.
Updated 7:34 a.m. PT June 13 with link to replay of conference call.