• On The Insider: Britney's Bikini-Clad Top 10
advertisementGet Smart about Business Spending
January 20, 2009 2:51 PM PST

Payment processor Heartland reports breach

by Elinor Mills

Updated 3:25 p.m. PST with comment from Heartland.

Heartland Payment Systems, which processes payroll and credit card payments for more than 250,000 businesses, reported Tuesday that consumer credit card data was exposed in what may be the largest security breach ever.

In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion last week and immediately notified law enforcement and credit card companies.

Robert H.B. Baldwin Jr., president and chief financial officer of Heartland, told CNET News he did not know how many credit and debit card accounts may have had their information exposed. The company handles 100 million transactions per month but does not know exactly how many unique cards or consumers that translates to, he said.

"We could do that analysis but we have not done it," Baldwin said. "The question is what percentage of transactions did the malware capture and what percentage got out to the bad guys?"

He also would not say when the malware arrived in its system. "We have suspicions as to when, but can't nail that down. We're still working on how" the malware got there, he added. "We believe the intrusion is contained."

"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," Baldwin said in the statement.

No merchant data, cardholder Social Security numbers, or unencrypted PINs, addresses, or telephone numbers were exposed, the company said.

Heartland was alerted in the late fall to suspicious activity surrounded processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, Baldwin said.

The company said it will implement a system to flag anomalies in real time and that it created a Web site to provide information on the breach to customers, who will not be held responsible for fraudulent charges.

Baldwin dismissed any notion that the announcement of the breach was timed so that it could be buried by the inauguration news. "We've been working to get enough facts together," he said.

Previously, the largest breach was the 45.7 million credit and debit card numbers reported compromised in 2007 by TJX, which owns retailers TJ Maxx and Marshalls. TJX settled a class action lawsuit in that case. Eleven people, from the U.S., Europe and China, were charged in the case.

Reports of data breaches in the United States increased 47 percent in 2008 from the year before, the nonprofit Identity Theft Resource Center reported in a study released two weeks ago. About 14 percent of the breaches were due to hacking, the report said.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

News,

Privacy & data protection

Tags:

security,

data breach,

TJ Maxx,

Heartland

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
Apple plugs holes for domain spoofing, other attacks
Microsoft launches Forefront Protection 2010
'60 Minutes'--Cyberwar: Sabotaging the system
Microsoft to fix holes in Windows, Office
Google privacy controls: Most people won't care
Zero-day flaw found in Web encryption
Mac Game: Art project or malware?
Corporate bank accounts targeted in online fraud
Related
ChoicePoint to pay $275,000 in latest data breach
More security breaches hit midsize companies
LA approves $7.2 million Google Apps deal
Hacked Web mail accounts used to send spam
CNET News Daily Podcast: Droid navigates its way to market
File sharing's mysteries again stump Uncle Sam
IBM privacy chief: Asia need not mimic Europe
Payments start-up Zong moves beyond mobile
Add a Comment (Log in or register) (13 Comments)
  • prev
  • 1
  • next
by jug831 January 20, 2009 3:25 PM PST
The scary part is that is happened last year and had no clue!
Reply to this comment
by bj70117 January 20, 2009 3:45 PM PST
Even scarier is the fact that we don't know what bank cards are affected. I have had a new card from Regions in the last year and have no idea who or what knew my account number for fraudulent charges. Was this the cause? Why don't they disclose this information? Do we have any rights here?
Reply to this comment
by bj70117 January 20, 2009 3:45 PM PST
Even scarier is the fact that we don't know what bank cards are affected. I have had a new card from Regions in the last year and have no idea who or what knew my account number for fraudulent charges. Was this the cause? Why don't they disclose this information? Do we have any rights here?
Reply to this comment
by superswiss January 20, 2009 3:56 PM PST
If you haven't had a fraudulent charge on your account by now it's fair to assume that they don't have your account number. Frankly, getting my credit card number stolen is the least of my concern. As a consumer, I'm not liable for any fraudulent charges as long as I report it to the credit card company. They'll investigate and issue a new card worst case. Now if they leaked social security numbers, that would be a whole different story.
by Zoobie January 21, 2009 7:21 AM PST
"Baldwin dismissed any notion that the announcement of the breach was timed so that it could be buried by the inauguration news. "We've been working to get enough facts together," he said. "

Yeah, right. The breach was known before Christmas, but it just so happens that the facts came together to be released in perfect relation to the inaguration. I can't stand dishonesty like this.
Reply to this comment
by eiverson January 21, 2009 8:56 AM PST
Where was the malware found? Servers and/or client machines? Would be nice to know if its been revealed somewhere (often isn't)?
Reply to this comment
by Pointedly January 21, 2009 9:27 AM PST
Two things (the first, factual and the second, conjecture): (1) There is some evidence that indicates this security breach began in 2007 (and, perhaps, earlier) rather than in 2008; (2) There is the possibility of collusion. There is the possibility that someone inside Heartland was paid off to enable the breaches in security.
Reply to this comment
by johnfranks1234 January 21, 2009 10:10 AM PST
Price Waterhouse Cooper and Carnegie-Mellon?s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and overall enterprise (business) risk. I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture ? and people aren?t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities ? read the book BEFORE you suffer a bad outcome.
Reply to this comment
by w_bee January 21, 2009 10:22 AM PST
I have had the kind of personal information breach with two different companies over the past five years.

I wonder how many more undetected breaches are there for each breach uncovered.
Reply to this comment
by ksingletary4solidcore January 21, 2009 11:41 AM PST
As with all of the large scale breaches the details are always unclear. I don't feel all that confident about the remediation plan of putting in a system to detect anomalies? You need to shore up the infrastructure and create a solid core (www.solidcore.com). The only way to regain control of our financial trust to ensure 100% system integrity of these processing systems. This malware was obviously targeted to this environment and could have been implemented by a stealthy insider hiding as simple system level objects, like drivers and scripts. This is not your standard corporate like virus or worm but something much more devastating as we are now experiencing.
Reply to this comment
by Vegaman_Dan January 21, 2009 5:00 PM PST
"No merchant data, cardholder Social Security numbers, or unencrypted PINs, addresses, or telephone numbers were exposed, the company said. "

Just bankcard numbers, expiration dates, verification codes, bank account information, etc. You know, unimportant stuff. :P

If this is the largest security breach in the nation's history, why is it only a tiny story in a subheading on the main page instead of a headline?
Reply to this comment
by FinkelsteinThompson January 27, 2009 11:32 AM PST
Finkelstein Thompson LLP (www.finkelsteinthompson.com) is a law firm that represents individuals who have been harmed by unfair business practices. We are currently investigating claims that consumers? credit and debit card information has been compromised by a data breach at Heartland Payment Systems.

If you believe you have been affected by the Heartland data breach and wish to discuss your rights and interests in this matter, please contact our Washington, D.C. office at 877-337-1050 or by email at contact@finkelsteinthompson.com

Responding to this advertisement does not, by itself, create an attorney-client relationship between you and Finkelstein Thompson LLP.
Reply to this comment
by brentonjameson October 15, 2009 11:52 AM PDT
http://www.heartlandpaymentsystems.com/

At least they caught the guy.
Reply to this comment
(13 Comments)
  • prev
  • 1
  • next
advertisement

After 5 years, Firefox faces new challenges

Mozilla helped reshape the Web since releasing Firefox 1.0 five years ago. Now it's got a reawakened Microsoft and Google Chrome to reckon with.

There's a map for that: GPS or smartphone?

Almost every handset comes with mapping software these days, but standalone GPS devices are becoming more affordable than ever.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET