The US government is investigating a major cyber intrusion at a payment processor that could expose millions of credit cardholders to fraudulent charges.
Atlanta-based processor Global Payments Inc said on Friday it had found "unauthorized access" into its system early in March and notified law enforcement and financial institutions.
Payment network operators MasterCard Inc, Visa Inc , American Express Co and Discover Financial Services confirmed they were affected, along with banks and other franchises that issue cards bearing their logos.
A spokesman for the Secret Service said the agency is leading investigations into the case but declined to give any details.
Though Global Payments is far from a household name, middlemen such as the company are prized targets for hackers because of the vast amount of sensitive financial information they handle.
The company's stock fell more than 9 per cent on the news before trading was halted. It said it would discuss the breach in a phone call for investors on Monday.
It was not immediately clear how Global Payments was penetrated or how many accounts were exposed. Consumers who detect fraud usually can be reimbursed. That leaves merchants on the hook financially, though they could file claims against Global Payments.
Analysts said MasterCard and Visa are unlikely to face costs from the breach, but MasterCard shares fell 1.8 per cent to close at $420.54 and Visa shares dropped 0.8 per cent to $118.
The security breach is just the latest in a long string of incidents that have put the personal information of millions of credit and debit cardholders at risk.
Individual banks and processors said they had not yet determined the full extent of the breach, but the blog Krebs on Security, which first reported the breach, said it was "massive" and could affect more than 10 million cardholders.
Some industry experts suggested the figure might be much lower, perhaps on the order of tens of thousands.
Bernstein Research analyst Rod Bourgeois noted that Global Payments is a relatively small player in the transactions services industry, servicing 800,000 merchants with a 3.5 per cent market share. By contrast, the largest competitor, First Data, services millions of merchants, with 22.6 per cent of the market.
JPMorgan Chase & Co as well as American Express and Discover, which issue their own cards, said they are monitoring customers' accounts and would issue new cards to anyone whose information may have been compromised.
Citigroup Inc said it has been notified by processors of the breach. Bank of America Corp declined to comment on the matter and Wells Fargo & Co said it was too early to comment on the impact.
The breach is the first major instance this year of consumer information put at risk by technological flaws or hacking, but there are plenty of examples of massive data breaches in recent years affecting banks, retailers, technology companies and payment processors.
Last June, Citigroup said computer hackers breached the bank's network and accessed data of about 200,000 cardholders in North America.
Sony Corp also reported several recent attacks, including one last year in which hackers accessed the personal information on 77 million PlayStation Network accounts.
Google Inc suffered a major attack on its Gmail accounts in 2011 that it said appeared to originate in China.