The discovery of a further breach is a blow for the company, which has been removed from the list of PCI-compliant processors by the major card brands in the wake of the incident.

In an update on its ongoing investigation into the payment card breach, the company confirmed that the number of card numbers exported "did not exceed" 1.5 million. The evidence also indicates that the hack was limited to Track 2 data, which includes card numbers and other details that can be used to create counterfeit cards but does not expose cardholder names, addresses or Social Security numbers.

However, the forensic probe has revealed that the hackers may have accessed servers containing personal information collected from a subset of merchant applicants. Besides names, addresses, and Social Security numbers, Global Payments also stores the drivers' license numbers and banking account numbers of merchants, according to the company's regulatory filings.

In a statement, Global Payments says: "It is unclear whether the intruders looked at or took any personal information from the company's systems; however, the company will notify potentially-affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost."