In what may be the largest credit-card data breach ever experienced, Heartland Payment Systems, which processes credit-card payment for over 250,000 US businesses, said yesterday that the private data from tens of millions of its customer debit and credit-card transactions might be compromised.
Heartland Payment Systems – the largest payments processor in the US – attributed the hack to “a widespread global cyber-fraud operation”. However, the firm admitted to discovering the data breach in 2008, but only released this information to the public yesterday.
Before Heartland, the biggest incident of credit-card data breach was with US retailer TK Maxx, where the personal data of over 40 million credit-card holders was compromised.
In this case, over 100 million credit- and debit-card holders may be affected, and this includes Visa, Mastercard, American Express and Discover Financial.
According to the Washington Post, Heartland president and chief financial officer Robert Baldwin said: “The transactional data crossing our platform, in terms of magnitude … is about 100 million transactions a month.
“At this point, though, we don’t know the magnitude of what was grabbed.”
It was not until some time late last year, when Heartland was alerted by both Visa and Mastercard, to some “suspicious activity surrounding processed card transactions” that the firm realised something was amiss and hired forensic auditors to investigate.
Although the extent of this hack has not yet been determined, Heartland says that no cardholder social security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach.
“There are no details yet as to how the malware got onto their network, or indeed what type of malware it is, or the type of systems infected,” says security expert Brian Honan on his blog Security Watch.
“Often, when I do security assessment for clients, I see strong malware controls on desktops and servers, but the network is one area that is overlooked. Routers, switches and other network components are often never looked at once they have been installed,” he added.
More details on the Heartland data breach can be found at http://www.2008breach.com.