George S. May Business Blog

Possibly the largest data security breach in history

Tens of millions of credit and debit card numbers have been compromised at the hands of a data breach. Heartland Payment Systems, Princeton, N.J., which processes payments for over 250,000 businesses, received reports last year of fraudulent activity from MasterCard and Visa on cards that had been used at the merchants who do business with Heartland. Robert Baldwin, Heartland’s president and CFO, although he would not reveal specific company names, did admit that 40 percent of the4 transactions that go through the company come from small to mid-sized businesses. .

“No merchant of ours represents even [one-tenth of one percent] of our volume, and to put out any name associated with what is obviously an unfortunate incident is not fair,” he said. “Their customers might end up having their cards used fraudulently, but that fraud might turn out to have come from their store, or it might be from another Heartland store and no one will ever really know.”

Heartland had been in contact with the Secret Service and hired two forensics teams to investigate the issue after being informed last year of the breach, but it wasn’t until last week that they finally were able to find the source.

Simply put, the breach came from a piece of software that was nestled in the company’s payment processing network. The software monitored and recorded payment card data as it was being sent through to Heartland to be processed. According to Heartland, no Social Security numbers, personal identification numbers, addresses, or telephone numbers were compromised. The only stolen data includes info that would be on the actual card: name, credit card number, and expiration date.

Baldwin also admitted that Heartland had no idea how long the virus had been in place or how much information it was able to grab.

“The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed.”

Because they are positive that information like telephone numbers and addresses were not compromised, it is likely that the data stolen was not used for massive online buying sprees. They believe that rather it was probably used to make counterfeit credit cards.

“The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address,” Baldwin said.

Baldwin does not plan to offer those affected by the breach consumer credit protection or other identity theft protection measures.

“Identity theft protection is appropriate when there is enough personal information lost that identity theft is possible,” he said. “In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible. At the same time, we recognize and feel badly about the inconvenience this is going to cause consumers.”

An article on the subject in the Washington Post pointed out other similar security breaches that have been exposed recently:

“The Heartland disclosure follows a year of similar breach disclosures at several major U.S. cards processors. On December 23, RBS Worldpay, a subsidiary of Citizens Financial Group Inc., said a breach of its payment systems may have affected more than 1.5 million people.

In March 2008, Hannaford Brothers Co. disclosed that a breach of its payment systems — also aided by malicious software — compromised at least 4.2 million credit and debit card accounts.

In early 2007, TJX Companies Inc., the parent of retailers Marshalls and TJ Maxx said a number of breaches over a three-year period exposed more than 45 million credit and debit card numbers.

In 2005, a breach at payment card processor CardSystems Solutions jeopardized roughly 40 million credit and debit card accounts.”

I personally was affected by the TJX breach in 2007. I used my debit card to make a purchase at TJ Maxx. In all honesty, the whole process was fairly painless. One day I got a call from my bank explaining what had happened. No money was withdrawn from my account and the bank just issued me a new card as a precautionary measure. I hope that those affected by this latest breach are able to get through it as easily as I did.

Related posts:

1. GE will build the largest wind farm in the United States GE has just inked a deal worth $1.4 billion that will deliver over 300 wind turbines to build a 845 megawatt wind farm in Oregon....


2. Mortgage delinquencies continue to climb Well, it is just natural progression. If you don’t have a job, then you can’t pay your mortgage. With unemployment hitting record numbers and still...