In association with heise online

21 January 2009, 09:02

Over 100 million credit / debit cards compromised

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A data breach at Heartland Payment Systems may be the largest on record. Heartland processes payments "for more than 250,000 business." The Washington Post has reported that over 100 million credit and debit cards may be involved in the breach (although this figure seems to be based on Heartlands figure for transactions per month). The cause of the breach is malicious software installed on the companies network. According to the Washington Post, Heartland has called in the "U.S. Secret Service and hired two forensics teams to investigate."

Heartland's CFO Robert Baldwin says, "We recognize and feel badly about the inconvenience this is going to cause consumers" – "The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month." Baldwin refused to identify the names of any of their business customers who may be affected. He said it would be unfair to mention any one of his company's customers. He did confirm that Heartland does not know how long the malicious software was in place. "At this point, though, we don't know the magnitude of what was grabbed."

The breach is likely to be the largest data breach ever reported. The data from the cards includes the card numbers, the names on the cards, and expiry dates; all of the information from the magnetic strip. According to Baldwin, this means "that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." Other details that were not compromised include social security numbers or PIN numbers.

Avivah Litan, a fraud analyst with Garner Inc., speculates, in the The Washington Post article, that Heartland decided to wait until just after the inauguration of President Barack Obama to release the news, possibly as a distraction. However, Baldwin claims that Heartland tried to disclose the breach last week. "Due to legal reviews, discussions with some of the players involved, we couldn't get it together and signed off on until today."

At the time of this writing Heartland's website is not responding.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit