A data breach disclosed today by Heartland Payment Systems may well displace TJX Companies’ January 2007 breach in the record books as the largest ever involving payment data with potentially over 100 million cards being compromised.
Heartland, a N.J.-based provider of credit and debit card processing services said that unknown intruders had broken into its systems sometime last year and planted malicious software to steal card data carried on the company’s networks.
The company, which is among the largest payment processors in the country, claimed to have discovered the intrusion only last week after being alerted by Visa and MasterCard of suspicious activity.
The card companies’ alerts triggered a subsequent investigation by “several forensic investigators” during which the intrusion was discovered, Robert Baldwin Jr., Heartland’s president and CFO, said in the statement.
The company said the intrusion may have been the result of a “widespread global cyberfraud operation”.
Baldwin said Heartland is “cooperating closely with the U.S. Secret Service and Department of Justice.
He said around 100 million card transactions per month occur on the affected systems, which handle processing for merchants and businesses.
Heartland has set up a Web site to provide information about the data breach, and it advised cardholders to examine their monthly statements and report suspicious activity to their card issuers.
Baldwin said the computer forensics examinations conducted by the company have uncovered evidence of multiple instances of malicious software on the Heartland network, although he didn’t disclose the exact number of identified instances.
He apologized for the inconvenience caused by the situation in which customers’ card numbers and, in some cases, names, were stolen.
Heartland does not believe that its payroll or micro-payments operations were affected by the data breach.
It claimed that no merchant data, cardholder’s Social Security numbers, or unencrypted personal identification numbers (PIN), addresses or telephone numbers were compromised.
The company said it’s taking steps to improve its network security by adding what it referred to as “a next-generation program designed to flag network anomalies in real time” to better identify possible criminal activity, but it didn’t go into details.
As with most data breach notifications, Heartland offered no explanations on when it was first informed of the breach by the card companies, when in 2008 the company had been breached, how long the intruders had remained undetected, or how many cards might have been compromised in the intrusion.
A company spokeswoman did not immediately respond to requests for comment.
But given that Heartland processes more than 100 million card transactions per month, it is very possible that the number of compromised credit and debit cards is at least that much, if not more, said Avivah Litan, an analyst with Gartner Inc.
“It does look like the biggest ever,” Litan said. The TJX breach involved the compromise of over 45 million cards.
It also appears that those behind the breach “made off with the gold” by intercepting and stealing the so-called Track 2 data from the magnetic stripe on the back of cards, which is all that’s needed to create counterfeit cards, Litan said.
Dan Clements, president of CardCops, an identity protection service of Affinion Group Inc., said that he has noticed activity in underground chat rooms that suggested a major compromise at a processor such as Heartland.
Typically when a card is stolen, crooks first check to see if the cards are still active by using it for some transaction — often a very small donation to a charitable organization – to see if it works.
This sort of validity check has increased by nearly 20 per cent over the past few months, suggesting a major compromise. But it’s not clear yet if it is related to the Heartland breach, Clements said.
The Heartland compromise is the second involving a large payment processor over the past few weeks.
One Dec. 23, RBS WorldPay, the payment processing division of The Royal Bank of Scotland Group, announced that its systems had been breached by unknown intruders, resulting in the compromise of personal information belonging to about 1.5 million card holders.
The compromised information included the Social Security numbers of 1.1 million individuals using payroll cards, the company said.
The incidents suggest that cybercrooks are increasingly beginning to target payment processors, Litan said. “Attacking a processor is much more serious than attacking a retailer.
A processor sits at the nerve center of the payment process,” and processes far more payment card data than any retailer, she said.
“More radical security moves” need to be taken by payments industry as a whole to address the problem, she added.
Such incidents show that the security requirements of the Payment Card Industry Data Security Standard (PCI DSS) being pushed by the major card companies is clearly not enough, Litan added.
With files from Ellen Messmer