Heartland Payment Systems on Tuesday revealed it was the victim of a system security breach. The hack occurred in 2008, and Heartland believes the intrusion has been contained.
According to the company, no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach.
Robert H.B. Baldwin Jr., Heartland's president and CFO, said the company discovered suspicious activity last week and immediately notified federal law-enforcement officials as well as the payment card brands.
"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," Baldwin said.
250,000 Companies at Risk
Heartland delivers credit/debit/prepaid card processing, payroll, check management, and payments solutions to more than 250,000 business locations nationwide.
It discovered the breach after Visa and Mastercard reported suspicious activity surrounding processed card transactions. Heartland engaged forensic auditors to conduct an investigation that uncovered malicious software compromising data on Heartland's network.
Heartland said it immediately took steps to secure its systems. Heartland is also implementing a next-generation program designed to flag network anomalies in real time and enable law enforcement to apprehend cybercriminals.
"Heartland apologizes for any inconvenience this situation has caused," Baldwin said. "Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective."
An Expensive Attack
Michael Argast, a security analyst at Sophos, said the Heartland breach may not be as bad as it looks -- it may be worse. This is going to be a painfully expensive experience for Heartland, he said, because the costs don't stop at disclosure, lack of good faith with merchants, or regulatory penalties. The cost of securing Heartland's environment and fixing the data loss could run into the millions or even billions of dollars.
"Organizations like Heartland are under sustained, targeted attacks. Customer records typically sell for 50 cents to two dollars each on underground card-trading networks -- times millions of records, this represents significant revenue for the criminals who successfully compromise a high-value target," Argast said.
Although there is no such thing as a bulletproof database or perfect security, in this particular situation the problem was not the theft of a database, which may have been secure, Argast said. The data was intercepted in transit at a time it was unencrypted.
"Security is a process, not a product," Argast said. "In the case of banks and transaction-processing companies, they need to take a much stronger stance on securing their data due to the significant rise in targeted attacks."
Heartland has created a Web site -- www.2008breach.com -- to provide information about the incident to cardholders. 2008breach.com advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.