When we initially wrote about it, we were acting on a tip that was corroborated by other sources who wish to remain anonymous. What we knew at the time but couldn’t publish was that it was a “card not present” breach at an “acquirer / processor”. We’re now able to say this specifically, asanother source has come out publicly with the information (props to databreaches.net for finding this source.)
What we still don’t know is what processor has been breached. According to the aforementioned article, and as has been confirmed by our sources, VISA and Mastercard are refusing to disclose which acquirer processor had the breach, as the organization hasn’t released a public statement on it yet themselves.
We do know, from the aforementioned article and through investigative work done here as well, that the breach in question isn’t magstripe (hence card not present). The terms “card not present” have been repeatedly used by almost every source we have, and this article as well. We also know that cards affected by the Heartland breach may also have been affected by this breach, leading to some confusion at banks regarding reissuing cards.
Our questions: No magstripes? All “card not present”? Either this was a breach in a major processor’s online transactions system, or, the breach was at a major online payment processor. Those are our guesses, but, we’ve been surprised before. Also, why hasn’t the breached organization come forward? It has been “suggested” to us that some sort of a “gag” order is in effect on the topic, but we haven’t been able to ascertain whether this is an actual judicial order, or some otherwise unofficial order to keep quiet on this.
As to the size and scale of this new breach, we’re hearing mixed responses from smaller than Heartland to larger than Heartland, and given that we don’t yet have a number regarding Heartland, it seems ever more speculative as to just how big this new breach is. One thing is certain, the two breaches amount to a lot of card replacements, a lot of bankers working overtime, and a lot of consumers inconvenienced, or worse, defrauded.
More details as this unfolds, as it no doubt will.