Payment Processor Breach May Be Largest Ever
A data breach last year at Princeton, N.J., payment processor
Heartland Payment Systems may have compromised tens of millions of credit and debit card transactions, the company said today.
If accurate, such figures may make the Heartland incident one of the largest data breaches ever reported.
Robert Baldwin, Heartland's president and chief financial officer, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments.
Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country. He declined to name any well-known establishments or retail clients that may have been affected by the breach.
Baldwin said it would be unfair to mention any one of his company's customers.
"No merchant of ours represents even [one-tenth of one percent] of our volume, and to put out any name associated with what is obviously an unfortunate incident is not fair," he said. "Their customers might end up having their cards used fraudulently, but that fraud might turn out to have come from their store, or it might be from another Heartland store and no one will ever really know."
Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn't until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.
Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.
"The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we don't know the magnitude of what was grabbed."
The company stressed that no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were jeopardized as a result of the breach.
The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.
"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said. As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants "is not impossible, but much less likely."
Heartland Payment Systems, a publicly traded company that provides bank card payment processing services to merchants in the U.S., has suffered a malware breach that may be linked to a “widespread global cyber fraud operation.”
Quote