UPDATED April 1, 11:35 p.m. ET
Global Payments Inc. hinted on Sunday night that about 1.5 million consumers were impacted by the massive credit card hack that first came to light on Friday -- fewer than the 10 million that was initially reported.
In a statement, the firm said "less than 1,500,000 card numbers may have been exported" by hackers who had access to its payment processing system. "Cardholder names, addresses and social security numbers were not obtained by the criminals."
It also said hacker access was limited to the North American portion of its network.
Even without names or Social Security numbers, the so-called "track 2" that the firm admits was taken for each account would be enough for criminals to make fraudulent online purchases or perhaps clone credit cards to commit real-world fraud.
The data leak was first revealed on Friday, when MasterCard and Visa confirmed that law enforcement officials were investigating a major theft of U.S. consumers' credit card data. The computer security expert who first reported the theft said at the time that it might involve as many as 10 million accounts, making it one of the largest known credit card heists.
"MasterCard is currently investigating a potential account data compromise event of a U.S.-based entity and, as a result, we have alerted payment card issuers regarding certain MasterCard accounts that are potentially at risk," that association said in a statement. "Law enforcement has been notified of this matter and the incident is currently the subject of an ongoing forensic review by an independent data security organization."
In what is said to be an unrelated incident, Visa's network was knocked offline for about 4 minutes on Sunday afternoon. Visa, in a statement, blamed a technical glitch for preventing consumers from making transactions from 2:40 p.m. until about 3:20 ET.
Payment processors -- "middle men" that handle transactions between retailers and banks -- have long been a target of identity thieves because of the enormous amounts of data they control. In 2008, Princeton, N.J.,-based Heartland Systems was hacked, exposing tens of millions of credit card account numbers to theft.
The theft was first reported by well-known computer security journalist Brian Krebs on his blog, KrebsonSecurity.com. He reported that hackers had access to the then-unknown processor's data from Jan. 21 through Feb. 25, and were able to siphon off enough data to easily create counterfeit cards. His sources called the leak "massive."
Visa, in a statement, also acknowledged the data theft but said its own systems were not hacked.
“Visa Inc. is aware of a potential data compromise incident at a third party entity affecting card account information from all major card brands," the firm said. “Visa has provided payment card issuers with the affected account numbers so they can take steps to protect consumers through independent fraud monitoring and, if needed, reissuing cards."
Gartner security expert Avivah Litan said she's been told that the stolen data is already being used on the street by identity thieves.
"I’ve spoken with folks in the card business who are seeing signs of this breach mushroom. Looks like the hackers have started using the stolen card data more recently," she said.
She's been told that investigators believe the data theft originated in New York City.
"From what I hear, the breach involves a taxi and parking garage company in the New York City area, so if you’ve paid a NYC cab in the last few months with your credit or debit card — be sure to check your card statements for possible fraud," Litan said in her blog post on the topic.
MasterCard said none of its computers were hacked as part of the incident.
"MasterCard is concerned whenever there is any possibility that cardholders could be inconvenienced and we continue to both monitor this event and take steps to safeguard account information," the association added in its statement. "If cardholders have any concerns about their individual accounts, they should contact their issuing financial institution.... It is important to note that MasterCard's own systems have not been compromised in any manner. "