Firm Reports Massive Data Breach From Credit, Debit Transactions

By Brian Krebs Staff Writer
Wednesday, January 21, 2009

A security breach at a Princeton, N.J., payment processor last year may have compromised data from tens of millions of credit and debit card transactions, company officials said yesterday.

Robert H.B. Baldwin Jr., president and chief financial officer of Heartland Payment Systems, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports from MasterCard and Visa in October.

Heartland called the U.S. Secret Service, which investigates financial crimes, and hired two breach forensics teams to investigate. But Baldwin said it wasn't until last week that investigators uncovered the source of the breach: A piece of malicious software on the company's processing network was recording payment card data as it was being sent to Heartland by thousands of the company's retail clients.

Baldwin said Heartland does not know how the software got there, how long it was in place, or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

"The transactional data crossing our platform, in terms of magnitude . . . is about 100 million transactions a month," Baldwin said. "At this point, though, we don't know the magnitude of what was grabbed."

Baldwin said 40 percent of transactions the company processes are from small to midsize restaurants across the country. He declined to name any clients that may have been affected by the breach.

"No merchant of ours represents even [one-tenth of one percent] of our volume, and to put out any name associated with what is obviously an unfortunate incident is not fair," he said. "Their customers might end up having their cards used fraudulently, but that fraud might turn out to have come from their store, or it might be from another Heartland store and no one will ever really know."

The company said no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were obtained through the breach because that information is not contained on cards.

The data stolen does include digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can imprint the same data onto counterfeit cards.

"One piece of information we know they did not get was an address," Baldwin said. As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants "is not impossible, but much less likely."

Baldwin said it was "not appropriate" for Heartland to offer affected consumers credit protection or other identity theft protection services.

"Identity theft protection is appropriate when there is enough personal information lost that identity theft is possible," he said. "In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible. At the same time, we recognize and feel badly about the inconvenience this is going to cause consumers."

Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing of Heartland's disclosure.

"This looks like the biggest breach ever disclosed, and they're doing it on Inauguration Day?" Litan said. "I can't believe they waited until today to disclose. That seems very deceptive."

Baldwin said Heartland worked to disclose the breach last week.

"We considered holding back another day, but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility," Baldwin said.

Officials from the U.S. Secret Service could not be reached for comment.

© 2009 The Washington Post Company