PRINCETON, NJ — Payments processor Heartland Payment Systems, based here, divulged last month that it was the victim of a security breach to data within its processing system. Heartland officials said they were alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions and enlisted the help of forensic auditors to conduct an investigation.
An investigation uncovered “malicious software” that compromised data that crossed Heartland’s network, the company disclosed on Jan. 20. Heartland delivers card processing, payroll, check management and payment solutions to more than 250,000 business locations nationwide, and processes more than 100 million credit-card transactions monthly.
Data security analysts interviewed by The New York Times said the financial data breach has the potential to be twice as big as the TJX data breach of 2007, when 45 million credit- and debit-card numbers were stolen. Losses resulting from the Heartland breach, experts say, could amount to as much as $500 million.
USA Today reported that security firm CardCops has been tracking a 20% annual increase in hackers testing batches of payment card numbers to ensure they are active. “The numbers could have come from a processor, like Heartland, or some other source that has access to a lot of customer data but is not a retailer,” CardCops president Dan Clements told the newspaper.
Heartland’s services for vending machines are currently limited. It entered the vending channel three years ago when it acquired cashless pioneer Debitek. In March 2008, the company and Crane Merchandising Systems announced a joint effort to launch Heartland Crane CashCard Solutions for cashless vending.
On Jan. 23, Heartland founder, chairman and chief executive Bob Carr issued a call for “industry cooperation to fight cyber criminals and adoption of end-to-end encryption.” Carr is said to be a strong advocate of end-to-end encryption, which protects data at rest and in motion, as an improved and safer payments security standard.
“I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber-crime attacks,” Carr said. “Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last [month]."
In that statement, Heartland also reported that no confidential merchant data, Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers were retrieved in what is believed to be a global cyber-fraud operation. Heartland said that it does not yet know how many card numbers were obtained. Carr said many reports in the press are speculative.
To date, the data breach was believed to be associated with a criminal group engaging in global fraud, identified by the Secret Service and operating outside North America. The investigation has been turned over to the U.S. Dept. of Justice.