News

Payments processor uncovers what might be biggest breach ever

January 20, 2009

Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. The company believes the intrusion is contained.

In an interview with the Washington Post, company president and chief financial officer Robert Baldwin said his company processes about 100 million transactions per month. "At this point, though, we don't know the magnitude of what was grabbed," he said.

If these figures are accurate, the "Heartland incident" may become one of the largest data breaches ever discovered.

story continues below... advertisement
		Data Security and Privacy: Best Practices for Protecting Customer Information through PCI We hope this publication helps you make sense of an issue that is complex today and will only get more so — and that it helps you serve your customers better. Order your copy today!

Late last night, Heartland issued the following press release on its new domain, www.2008breach.com:

PRINCETON, N.J. — Payments processor Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. Heartland believes the intrusion is contained.

"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland's network.

Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.

Heartland has created a website — www.2008breach.com — to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.

"Heartland apologizes for any inconvenience this situation has caused," continued Baldwin. "Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective."