Information stolen from as many as 1.5 million credit card accounts is the latest in a long line of data breaches — and an alert for consumers to monitor their accounts for fraudulent purchases, industry watchdogs say.
The latest major breach, reported late last week at Atlanta payments processor Global Payments Inc., resulted in no known consumer fraud as of Monday morning, Chief Executive Paul R. Garcia said in a conference call with analysts.
Authorities said Global Payments notified Visa and MasterCard, which had forwarded the numbers of the affected cards to banks that had issued them. The banks said they had stepped up monitoring and would alert consumers to any suspicious activity, issuing new cards as warranted.
"Customers are not liable for any unauthorized purchases made with their cards," JPMorgan Chase & Co. said in a statement. "We also encourage customers to monitor their accounts and contact us if they do not recognize a transaction on their account."
Global Payments said the break-in occurred about three weeks ago at a "handful" of servers processing North American transactions. Several security and forensics firms along with 100 of its 4,000 employees are investigating the loss of information on up to 1.5 million accounts, it said.
Global Payments also processes transactions for Discover and American Express cards. A Discover spokeswoman said the company had been notified that some of its cardholders' information had been compromised and was monitoring those accounts. AmEx officials couldn't immediately be reached for comment.
Although experts say the card industry is improving at guarding against data thefts, break-ins continue at a fast clip, according to the Privacy Rights Clearinghouse, a San Diego nonprofit that publishes a chronology of known data breaches.
The group tallied more than 535 such breaches last year, and said it had documented an "alarming" total of more than 545 million financial records compromised in the United States since 2005. That number actually understates the problem, Privacy Rights founder Beth Givens said, because not all breaches are picked up by news media and many states don't require companies to report breaches to an official clearinghouse.
Debit cards, which have fewer protections than credit cards, "should be very closely watched and any unauthorized transactions reported to the bank within two days," said Joanne McNabb, chief of the California Office of Privacy Protection in Sacramento.
McNabb said a state law that took effect in January requires companies that possess private financial information to notify not only individuals whose data was breached but the California attorney general's office or McNabb's agency. The attorney general's website lists the notifications.
Most banks have a zero-liability policy on unauthorized credit-card transactions, McNabb said, and the federal Truth in Lending Act limits consumer liability on credit-card fraud to $50.
"An unauthorized debit transaction comes right out of the consumer's bank account," McNabb said. "And even during a dispute of a transaction, the money is gone."
Global Payments set up a website at http://www.2012infosecurityupdate.com to provide additional information to consumers and merchants.