Payment processor Heartland reports breach

Breach at payment processing company Heartland exposes millions of accounts and could make it the largest security breach ever.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Updated 3:25 p.m. PST with comment from Heartland.

Heartland Payment Systems, which processes payroll and credit card payments for more than 250,000 businesses, reported Tuesday that consumer credit card data was exposed in what may be the largest security breach ever.

In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion last week and immediately notified law enforcement and credit card companies.

Robert H.B. Baldwin Jr., president and chief financial officer of Heartland, told CNET News he did not know how many credit and debit card accounts may have had their information exposed. The company handles 100 million transactions per month but does not know exactly how many unique cards or consumers that translates to, he said.

"We could do that analysis but we have not done it," Baldwin said. "The question is what percentage of transactions did the malware capture and what percentage got out to the bad guys?"

He also would not say when the malware arrived in its system. "We have suspicions as to when, but can't nail that down. We're still working on how" the malware got there, he added. "We believe the intrusion is contained."

"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," Baldwin said in the statement.

No merchant data, cardholder Social Security numbers, or unencrypted PINs, addresses, or telephone numbers were exposed, the company said.

Heartland was alerted in the late fall to suspicious activity surrounded processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, Baldwin said.

The company said it will implement a system to flag anomalies in real time and that it created a Web site to provide information on the breach to customers, who will not be held responsible for fraudulent charges.

Baldwin dismissed any notion that the announcement of the breach was timed so that it could be buried by the inauguration news. "We've been working to get enough facts together," he said.

Previously, the largest breach was the 45.7 million credit and debit card numbers reported compromised in 2007 by TJX, which owns retailers TJ Maxx and Marshalls. TJX settled a class action lawsuit in that case. Eleven people, from the U.S., Europe and China, were charged in the case.

Reports of data breaches in the United States increased 47 percent in 2008 from the year before, the nonprofit Identity Theft Resource Center reported in a study released two weeks ago. About 14 percent of the breaches were due to hacking, the report said.