Heartland Payment Systems, the third largest merchant processor of credit and debit cards in the country with more than 250,000 participating merchants nationwide, revealed on Jan. 20 that it had suffered a significant lapse in its security sometime in 2008. The company revealed that at some point during the year someone had installed malicious software on its systems that enabled the theft of card data from merchants on its system.
"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert H.B. Baldwin Jr., Heartland's president/chief financial officer in a statement. "We understand that this incident may be the result of a widespread global cyber-fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."
The company has not returned calls seeking further comment. Its announcement did not say whether the firm had been compliant with industry data security standards before the breach, but the company has been known as a leading advocate of breach prevention.
"Heartland apologizes for any inconvenience this situation has caused," continued Baldwin. "Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective."
The company reported that Visa and MasterCard had made it aware of "suspicious activity" around some already processed card transactions. The company launched an investigation that discovered "malicious software" placed on its system.
The company said it "immediately" took a number of steps to secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals, the company added.
The company's initial announcement stated: "No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms."
But CUNA Mutual Group, the insurer for the majority of U.S. credit unions, said it is convinced the breach was significant and that the number of card accounts compromised is in the millions.
"Although the exact number of affected cards is not known, it is expected to be many millions. Card-issuing credit unions and their members will be impacted by this breach," said Charles Cashman, an executive with CUNA Mutual's Plastic Card Insurance.
The insurer reported that Visa and MasterCard have confirmed a significant number of credit and debit card accounts were compromised in the 2008 breach.
Cashman said CUNA Mutual had been looking into a spike in card fraud since October 2008, and it appeared that the Heartland breach was the source.
"CUNA Mutual risk management detected that something big was happening," Cashman said. "We reported our findings to both card associations to help facilitate an investigation to determine if a breach had occurred and, if so, its origin. It seems our worst fears are coming true, but we are relieved that it's finally been solved."
Cashman explained that CUNA Mutual felt confident that Heartland was the source of the breach because of the nature of the fraud incidents it detected in the fall of last year.
"Card data breaches at processors are very rare," Cashman said. "Overall, there were 600 documented breaches of merchant card security in 2008 and only one breach at a processor."
He explained that most single merchant breaches give themselves away because the majority of fraud incidents occur on cards used at that merchant. However a breach at a processor, particularly a nationwide processor, can lead to incidents scattered around the entire nation, which was what the insurer started seeing last fall.
With the company remaining silent about the details of the breach, it's unclear where the incident will go from here.
The breach is certainly a smudge on Heartland's reputation as it has long made a point of touting its security. "As a business owner, protecting your business from fraud and the penalties associated with it is critical," the company wrote in the Dec. 2008 issue of Payments Insider newsletter. "If sensitive business or customer data is stolen or illegally accessed, you can get more than a bad reputation. You can be heavily fined and faulted for putting your patrons at risk for identity theft."
At least two law firms have begun to advertise on the Internet for clients who might have had cards compromised in the breach.