The figure of 1.5 million is based on the number of cards that Global Payments is absolutely certain were 'stolen.' It makes no allowance for additional data that was almost certainly stolen in addition to the 1.5 million; we should expect the total to creep closer to 10 million.
However, there have been a number of intriguing 'anomalies' in the saga that are only now being recognised.
In Brian Krebs' initial report, he spoke of a major breach being reported by Visa and MasterCard. He also spoke of New York parking garages and Dominican gangs. At no time did he mention Global Payments.
Furthermore, Gartner's Avivah Litan also spoke of gangs and taxis and parking companies in New York.
Next thing we know, Global Payments has outed themselves as being breached, with the clear implication that there was a 'hacker' breach into their secure systems.
This doesn't seem to fit with the whole New York thing.
Additionally, both Krebs and Litan tuned into yesterday's Global Payments conference call and both are of the opinion that the breach described by both Visa and MasterCard in their warnings early last week is NOT the one described by Global Payments - something this writer suggested over 24 hours ago.
In addition, Krebs' sources are suggesting this is not the first time Global payments was breached - they've been continuously 'open' between early 2011 and the closing of the gap in March this year.
With so many pending investigations involving law enforcement, Visa, MasterCard and so on, it is difficult to get the truth from anyone and so far this saga remains extensively untold.
One thing is certain though. Global Payments is currently not PCI DSS compliant and yet they continue to process transactions. How this is possible has yet to be determined.