IT | Security

Payment System Breach May Expose 100 Million

By: Absolute Team | 1/22/2009

Who Breached: Heartland Payment Systems
Number Affected: As many as 100 Million+
Information breached: Credit Card Data
How: Network compromised

In a breach to rival those of TJX (~45 - 94 million) in the US and HMRC (25 million) in the UK, Heartland Payment Systems announced on January 20th that they have uncovered malicious software in their processing system. Cyber criminals gained access to their network and to the 100 million credit card transactions it handles each month.

Although no merchant information or Social Security Numbers were compromised, data that was improperly accessed included the information on a card's magnetic strip (card number, expiration date, bank codes), which could be used to duplicate the cards. Heartland says that it cannot estimate the number of records that may have been accessed.

Avivah Litan, analyst at Gartner, calls the Heartland Payment Systems breach the "largest card-data breach ever". Heartland's president says it's too early for such a "speculative" statement.

Heartland has set up a breach website with a statement of the incident:

"After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland's network."

At the time of this breach, Heartland did not have real-time monitoring of network activities that would have detected the access. The company recommends that customers examine their monthly statements closely and to report any suspicious activity.

Earlier this month, CheckFree Corporation also notified more than 5 million customers that criminals took control of several of their domains and redirected customers to malicious websites.

Via FOX, Computerworld, WSJ