Wed 21 Jan, 2009 09:55 am
Credit Card Processor Says Some Data Was Stolen
By ERIC DASH and BRAD STONE
Published: January 20, 2009
Heartland Payment Systems, a major payment processing company, disclosed a data breach on Monday that potentially exposed tens of millions of credit and debit cardholders to the risk of fraud in what could quickly become one of the country’s biggest data compromises.
Robert H. B. Baldwin Jr., Heartland’s president and chief financial officer, said that his company believed the card numbers, expiration dates, and in some cases cardholder names were exposed after attacks on its computer systems at the one point where data had been unencrypted.
Once consumers swiped their cards, so-called sniffer software captured that data as Heartland sought authorization from the major payment companies and banks. Customers of Visa, MasterCard, American Express and Discover Financial were all vulnerable.
“We have industry-leading encryption, but the data has to be unencrypted to request the information,” Mr. Baldwin said. “The sniffer was able to grab that authorization data at that point.”
Data thieves introduced the software as early as May, but Heartland did not detect the breach until it was alerted to the activity in late fall. The personal data of 600 million or more cardholders was vulnerable, but data security experts suggested data from far fewer accounts had been extracted. Other confidential information, like personal security codes, is not believed to have been compromised. That might limit damages.
Even so, the Heartland breach could wind up rivaling some of the largest data thefts. In January 2007, the discount retail chain TJX revealed that data on more than 45 million customers had been compromised. And 40 million cardholder accounts were exposed in the 2005 data compromise at a tiny payment processor, CardSystem Solutions.
Avivah Litan, a data security analyst, said that the Heartland breach could result in hundreds of millions in losses and other expenses. “If you add it all up, including legal costs, it could be as much as half a billion dollars in losses " or twice as big as TJX,” she said.
Mr. Baldwin said that Secret Service officials investigating the breach suggested that the thieves involved in the attack might be part of an “international ring of hackers that are introducing breaches at a number of financial institutions.”
The Heartland breach also showed that in spite of the adoption of more stringent standards and tougher oversight by banks and credit card companies, consumers are still vulnerable. All this is happening after credit card companies and merchants spent over $2 billion on establishing the Payment Card Industry standards, Ms. Litan said. “And yet the breaches continue and they get more serious.”
Heartland, based in Princeton, N.J., works with about 175,000 small merchants and processes about 100 million transactions a month. It has created a Web site, 2008breach.com, to provide information about the incident. Cardholders are not responsible for unauthorized fraudulent charges.
I was one of those whose id was stolen. I received a notice from Bank of American that my credit card info was hacked. My account was closed and a new card issued. Within a month, I got another notice that several hundred dollars of unusual charges from Europe were showing up on my new card. This accounnt was closed and another card was issued. I hope the new card is OK and safe.
Wells Fargo had a similar incident in December but it wasn't about electronic data. They haven't made it public yet and should. My Wells Fargo/MasterCard debit card is due to expire at the end of January and I hadn't received a replacement by January 10th so I called WF and was told that they have had thousands of similar calls from their account holders and that apparently all cards that were sent out in the mail on December 4th have never made it to their recipients. I asked why none of the recipients were informed of this when they figured out what was happening rather than leaving it to us to call when our cards did not arrive. No answer. I asked if it was being investigated. No answer. I then cancelled my card.
Those "no answer"s sound like a pretty good reason to cancel.