Business and Law
By Samantha Rose Hunt
Wednesday, January 21, 2009 14:46
Princeton (NJ) - Heartland Payment Services, a New Jersey based firm, was cyber-attacked late last year, and the attack could have actually compromised around 100 million credit card and debit card accounts.
Heartland Payment Services processes credit card and debit card transactions for more than 250,000 companies. The breach first came to light in late October, 2008, when the company at that point said it was not sure whether or not they had been attacked and that they'd have to wait until just last week to actually find out. When the company realized that they had been the victim of a sophisticated attack, they notified the public.
Robert H.B. Baldwin, Jr., Heartland's president and CEO, said in the press release, "We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands. We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."
Heartland found it had malware on its system which allowed thieves to read through unencrypted card data as transactions were authorized in Heartland's system. The thieves were able to capture card account numbers and expiration dates, and in some cases even collect the name of the customer.
The company has no idea how long the malware was in its system, or how many accounts were compromised, according to a quote Baldwin gave the Washington Post. He said, "The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month. At this point, though, we don't know the magnitude of what was grabbed."
The thieves were not able to obtain PIN numbers or customer address information, which limits the value of the information they were able to obtain. Any effort to use the card online or on the phone would require the thief have the customer's billing address or zip code. The thieves could however clone a stolen debit card so they could swipe the card as a credit card in stores for small transactions. But at this point, they would run the risk of being caught via surveillance cameras, or if a savvy cashier asks for ID.
The breach was first brought to Heartland's attention when Visa and MasterCard began reporting suspicious transactions. However, conflicting information made the company believe it didn't come from their system.
In early December the company sought the help of forensic computer investigators, an it took until last week for the outside agency to discover the breach. At this time the investigators do not know how the intruders got inside the system, but they do know that it was not an employee opening some attachment.
Heartland has not yet released who could be affected by the breach. Heartland has advised consumers to monitor their account statements and report any suspicious activity to their personal card issuer. Most online banking systems maintain online statement histories for at least three months, which may still include the month of October, 2008 right now. Since the company does not know how long the malware was present on their systems, however, it may require looking back even further for anomalous transactions.