US payment processor Heartland reports massive data breach

US payment processor Heartland reports massive data breach

Heartland Payment Systems says it has found malicious software in its processing system, potentially compromising the card data of millions of people.

In a statement, the US payments processor says the malware, planted last year, has compromised data that crossed its network. Credit card numbers and expiration dates have been exposed, the firm's president, Robert Baldwin, told reporters.

The company has not revealed how many people are at risk or precisely how long the malware was in its computer system. However, according to its Web site, Heartland serves more than 250,000 businesses around the country and handles over four billion transactions a year.

The intrusion was uncovered last week by an investigation conducted by forensic auditors who were bought in after Visa and MasterCard warned of suspicious activity surrounding processed card transactions.

Baldwin says the company understands the breach "may be the result of a widespread global cyber fraud operation".

The firm says no merchant data or cardholder social security numbers, unencrypted PINs, addresses or telephone numbers were involved in the breach.

Federal law enforcement officials and the card firms have been informed and a Web site has been set up for concerned cardholders. Customers are also being advised to examine their monthly statements closely and report any suspicious activity to their card issuers.

The firm will now roll out a programme to "flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals".

The Heartland breach comes just weeks after CheckFree's electronic bill payment site was compromised, with criminals redirecting user traffic to a bogus malware site. The firm has warned around five million customers that their data may be at risk.

In 2007 over 94 million Visa and MasterCard accounts are estimated to have been exposed to fraudsters in the security breach at US retailer TJX.

Comments: (1)

Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney 22 January, 2009, 21:43Be the first to give this comment the thumbs up 0 likes

If "Visa and MasterCard warned of suspicious activity surrounding processed card transactions" then presumably data stolen from Heartland was found being replayed in CNP frauds.  Yet "[the] firm says no merchant data or cardholder social security numbers, unencrypted PINs, addresses or telephone numbers were involved in the breach."  That's hard to believe. Most CNP replay attacks will need to use the billing address and full name on top of the CCN and Exp Date.  So it seems unlikely that addresses would not have been involved in the breach.  Furthermore, when attackers go to all the trouble of stealing CCNs and Exp Dates, why wouldn't they also nab SSNs, phone numbers and anything else they can get their hands on?

 

Featured Job
All Jobs »