News

Enormous Data Security Breach of Major Payment Processor

An Enormous Data Security Breach of Heartland Payment Systems may have revealed confidential information in tens of millions of debit and credit card transactions. In 2008, Princeton, N.J., based Heartland Payment Systems announced there was a security breach in their payment network. If that announcement is found to be accurate, this will be one of the largest data security breaches ever.

The president and C.F.O. of Heartland, Robert Baldwin stated that Heartland began receiving fraudulent reports from MasterCard and Visa in late 2008.

Heartland currently provides merchant payment processing for more than 250,000 companies. Furthermore, according to Baldwin, 40 percent of the transactions that Heartland processes are from small to medium-sized restaurants. However, he declined when asked to reveal the names of Heartland's larger or well known clients. In defense of his silence he argued that "It would be unfair to mention any one of his company's customers."

Baldwin continued: "No merchant of ours represents even [one-tenth of one percent] of our volume, and to put out any name associated with what is obviously an unfortunate incident is not fair ... Their customers might end up having their cards used fraudulently, but that fraud might turn out to have come from their store, or it might be from another Heartland store and no one will ever really know."

After informing the Secret Service, Heartland retained two forensic teams to further investigate the matter. However, Baldwin stated that the primary source of the breach was not revealed until mid January of 2009. The investigators found software inside Heartland's processing network that is designed to steal the payment card data during the payment process. This network is responsible for the processing of thousands of Heartland's clients.

Baldwin also stated that Heartland is unaware how long the data security breach has been in effect, how long the software was in place, how the software got into the network, or the volume of information that may have been compromised. This data security breach has exposed the names, credit and debit card numbers and expiration dates of an untold amount of payments made through Heartland's payment network. According to Baldwin: "At this point, though, we don't know the magnitude of what was grabbed ... The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month." However, the company states that there was no merchant information, cardholder social security numbers or personal identification numbers (PIN's), telephone numbers or personal addresses revealed in the data security breach.

The information that was stolen includes the encoded data on the magnetic strips of debit and credit cards. Once thieves have this information they can then create counterfeit cards. In defense of the company's position Baldwin stated, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address ... the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants is not impossible ... but much less likely."

In responding to whether Heartland will offer affected customers identity theft reconciliation protection or credit protection, Baldwin stated, "It was not appropriate ... Identity theft protection is appropriate when there is enough personal information lost that identity theft is possible ... In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible. At the same time, we recognize and feel badly about the inconvenience this is going to cause consumers ..."

In a statement made on behalf of Gartner Inc., Avivah Litan questioned the timing Heartland’s disclosure which, coincidentally, was during the inauguration of Barack Obama. Litan stated: "This looks like the biggest breach ever disclosed, and they're doing it on inauguration day? I can't believe they waited until today to disclose. That seems very deceptive." However, Baldwin defended the timing of the company's disclosure: "Due to legal reviews [and] discussions with some of the players involved, we couldn't get it together and signed off in time ... We considered holding back another day, but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility."