Julianne Pepitone and Leigh Remizowski, NEW YORK, CNNMoney
A data breach at a payments processing firm has potentially compromised credit and debit card information from all of the major card brands, representatives from MasterCard and Visa said on Friday.
News of the breach was first reported by the widely read security blog Krebs on Security. That article said the breach was “massive,” and could involve more than 10 million card numbers.
The Wall Street Journal followed up with an article saying that processor Global Payments is the vendor that was breached. Global Payments shares fell 9% before trade was halted.
A representative of Global Payments did not immediately respond to a request for comment. The extent of the breach, and what kind of information was compromised, has not been confirmed.
“I’ve spoken with folks in the card business who are seeing signs of this breach mushroom,” Gartner analyst Avivah Litan wrote Friday in a blog post.
Her sources say the hackers have begun using some of the card data they stole, Litan added.
MasterCard said it has alerted payment card issuers “regarding certain MasterCard accounts that are potentially at risk.”
The company also said the breach is the subject of an ongoing forensic review by an independent data security organization.
Visa released a statement saying it too has provided card issuers with notifications about accounts that could be affected. The issuers “can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards,” it said.
Both MasterCard and Visa emphasized that their own networks had not been penetrated.
Neither company would comment on the scale or nature of the breach, but the Journal’s report says the information that was taken could potentially be used to counterfeit new cards. The breach reportedly took place between January 21 and February 25 of this year.
CNN has reached out to the other major credit card brands, including American Express and Discover, for comment.
In data breach situations, credit card companies generally offer affected customers fraud monitoring services at no cost — and customers aren’t on the hook for any fraudulent charges. The card issuers themselves are responsible for those costs.