Heartland Payment Systems Security Breach
Heartland Payment Systems of Princeton, NJ reported on Tuesday that a security breach may have comprised tens of millions of credit/debit card transactions last year. If figures are accurate, this makes the Heartland incident one of the largest data breaches ever reported.
Here’s a quick run down:
1. Sometime in late 2008, there was a security breach at Heartland, which processes payments for more than 250,000 businesses nationwide.
2. Heartland uncovered the breach when they were notified by the credit card companies of fraudulent charges coming in.
3. Stolen data includes names, card numbers and expiration dates, but not Social Security numbers, addresses, phone numbers, or unencrypted PIN’s.
4. Heartland doesn’t know who is responsible and exactly how many businesses were affected, but now believes that the breach is closed.
In a press release found at the company’s website, Heartland indicates that “cyber thieves breached its system in 2008 and stole credit card information.” The company says it was alerted by Visa and MasterCard of suspicious activity surrounding cards that had all been used at merchants which rely on Heartland to process payments. An investigation uncovered malicious software that compromised data that crossed Heartland’s entire network.
President and CFO Robert Baldwin indicates that intruders had access to Heartland’s system for “longer than weeks” in late 2008; the malware was planted on the company’s network, and therefore recorded data as it was being sent for processing to Heartland by the company’s clients. Baldwin ascertains that since no SSN’s, addresses, phone numbers, or PIN’s were stolen, there is no risk for identity theft. He assures cardholders that if their information was compromised, they are not liable for the fraudulent charges.
Heartland now believes that the security breach is closed.
Deceptive Disclosure, or Just Good Timing?
With the disclosure of the security breach falling on Barack Obama’s inauguration day, many industry officials are questioning Heartland’s timing of the news release. Says Avivah Litan, fraud analyst with Gartner Inc., “This looks like the biggest breach ever disclosed, and they’re doing it on inauguration day? I can’t believe they waited until today to disclose. That seems very deceptive.”
Baldwin counters, saying that Heartland worked to disclose the breach last week, but couldn’t due to legal procedures. He claims that Heartland considered holding back another day, but ultimately decided it was important to get the information out as soon as possible, “recognizing of course that this is not an ideal day from the perspective of visibility.”
So on a day where most of America are glued to the coverage of the Presidential inauguration, is this considered deceptive, or just good timing (from Heartland’s standpoint, that is)?
Is Your Processing Company Safe?
The Heartland disclosure follows a year of similar breach disclosures at several major U.S. cards processors. In 2008, both RBS Worldpay and Hannaford Brothers Co. disclosed breaches of their payment systems that may have affected millions of credit/debit card accounts. Similarly, TJX Companies Inc. disclosed a number of breaches in 2007 that exposed more than 45 million account holders. In 2005, a breach at payment card processor CardSystems Solutions jeopardized roughly 40 million credit and debit card accounts. The increasing number of incidents suggest that cyber-crooks may be targeting payment processors more and more – sparking security concerns across the entire payment processing industry. Because Heartland maintains that they are compliant with the Payment Card Industry Data Security Standards (security controls mandated by major credit card companies), the breach adds to growing doubt about the effectiveness of PCI rules. Can what happened to Heartland happen again?
Merchant Service Inc., or MSI, is a credit card processing company that provides the merchant accounts, credit card machines, and software that allow businesses to accept credit and debit card transactions. MSI’s security has never been breached.