Payment processor Heartland reports breach

Updated 3:25 p.m. PST with comment from Heartland.

Heartland Payment Systems, which processes payroll and credit card payments for more than 250,000 businesses, reported Tuesday that consumer credit card data was exposed in what may be the largest security breach ever.

In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion last week and immediately notified law enforcement and credit card companies.

Robert H.B. Baldwin Jr., president and chief financial officer of Heartland, told CNET News he did not know how many credit and debit card accounts may have had their information exposed. The company handles 100 million transactions per month but does not know exactly how many unique cards or consumers that translates to, he said.

"We could do that analysis but we have not done it," Baldwin said. "The question is what percentage of transactions did the malware capture and what percentage got out to the bad guys?"

He also would not say when the malware arrived in its system. "We have suspicions as to when, but can't nail that down. We're still working on how" the malware got there, he added. "We believe the intrusion is contained."

"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," Baldwin said in the statement.

No merchant data, cardholder Social Security numbers, or unencrypted PINs, addresses, or telephone numbers were exposed, the company said.

Heartland was alerted in the late fall to suspicious activity surrounded processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, Baldwin said.

The company said it will implement a system to flag anomalies in real time and that it created a Web site to provide information on the breach to customers, who will not be held responsible for fraudulent charges.

Baldwin dismissed any notion that the announcement of the breach was timed so that it could be buried by the inauguration news. "We've been working to get enough facts together," he said.

Previously, the largest breach was the 45.7 million credit and debit card numbers reported compromised in 2007 by TJX, which owns retailers TJ Maxx and Marshalls. TJX settled a class action lawsuit in that case. Eleven people, from the U.S., Europe and China, were charged in the case.

Reports of data breaches in the United States increased 47 percent in 2008 from the year before, the nonprofit Identity Theft Resource Center reported in a study released two weeks ago. About 14 percent of the breaches were due to hacking, the report said.

[jug831]

The scary part is that is happened last year and had no clue!

[bj70117]

Even scarier is the fact that we don't know what bank cards are affected. I have had a new card from Regions in the last year and have no idea who or what knew my account number for fraudulent charges. Was this the cause? Why don't they disclose this information? Do we have any rights here?

[bj70117]

Even scarier is the fact that we don't know what bank cards are affected. I have had a new card from Regions in the last year and have no idea who or what knew my account number for fraudulent charges. Was this the cause? Why don't they disclose this information? Do we have any rights here?

[superswiss]

If you haven't had a fraudulent charge on your account by now it's fair to assume that they don't have your account number. Frankly, getting my credit card number stolen is the least of my concern. As a consumer, I'm not liable for any fraudulent charges as long as I report it to the credit card company. They'll investigate and issue a new card worst case. Now if they leaked social security numbers, that would be a whole different story.

[Zoobie]

"Baldwin dismissed any notion that the announcement of the breach was timed so that it could be buried by the inauguration news. "We've been working to get enough facts together," he said. "

Yeah, right. The breach was known before Christmas, but it just so happens that the facts came together to be released in perfect relation to the inaguration. I can't stand dishonesty like this.

[eiverson]

Where was the malware found? Servers and/or client machines? Would be nice to know if its been revealed somewhere (often isn't)?

[Pointedly]

Two things (the first, factual and the second, conjecture): (1) There is some evidence that indicates this security breach began in 2007 (and, perhaps, earlier) rather than in 2008; (2) There is the possibility of collusion. There is the possibility that someone inside Heartland was paid off to enable the breaches in security.

[w_bee]

I have had the kind of personal information breach with two different companies over the past five years.

I wonder how many more undetected breaches are there for each breach uncovered.

[ksingletary4solidcore]

As with all of the large scale breaches the details are always unclear. I don't feel all that confident about the remediation plan of putting in a system to detect anomalies? You need to shore up the infrastructure and create a solid core (www.solidcore.com). The only way to regain control of our financial trust to ensure 100% system integrity of these processing systems. This malware was obviously targeted to this environment and could have been implemented by a stealthy insider hiding as simple system level objects, like drivers and scripts. This is not your standard corporate like virus or worm but something much more devastating as we are now experiencing.

[Vegaman_Dan]

"No merchant data, cardholder Social Security numbers, or unencrypted PINs, addresses, or telephone numbers were exposed, the company said. "

Just bankcard numbers, expiration dates, verification codes, bank account information, etc. You know, unimportant stuff. :P

If this is the largest security breach in the nation's history, why is it only a tiny story in a subheading on the main page instead of a headline?

[FinkelsteinThompson]

Finkelstein Thompson LLP (www.finkelsteinthompson.com) is a law firm that represents individuals who have been harmed by unfair business practices. We are currently investigating claims that consumers? credit and debit card information has been compromised by a data breach at Heartland Payment Systems.

If you believe you have been affected by the Heartland data breach and wish to discuss your rights and interests in this matter, please contact our Washington, D.C. office at 877-337-1050 or by email at contact@finkelsteinthompson.com

Responding to this advertisement does not, by itself, create an attorney-client relationship between you and Finkelstein Thompson LLP.

[brentonjameson]

http://www.heartlandpaymentsystems.com/

At least they caught the guy.