Heartland May Be the Biggest Data Breach Ever

By Matthew Harwood

The data breach at Princeton, New Jersey-based Heartland Payment Systems, which processes payment card transactions, could total over a 100 million card accounts compromised, possibly making it the largest ever.

"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer, on Tuesday. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."

Heartland says both Visa and MasterCard alerted it to suspicious activity on processed payment cards. After an investigation, Heartland's forensic auditors found software, which may be sniffer software according to MSNBC, that stole payment card information when it crossed its network.

But Visa and MasterCard cardholders aren't the only customers vulnerable to the breach, American Express and Discover should also monitor their transaction histories.

According to USA Today:

Anyone who used a payment card at one of the restaurants or retailers that rely on Heartland to process card transactions could be at risk. These merchants include "independent business people in towns and cities across America," including some franchise chains, "but not any corporate names anybody would recognize," Baldwin said. Heartland has been unable to ascertain "a specific start and end date" for the intrusion, and has not been able to determine how many transaction records were stolen, he said.

Heartland ranks as the nation's sixth largest payment card processor. It processes more than 100 million card transactions a month. Gartner's Avivah Litan believes the breach could exceed 100 million cards, which would shatter TJX's January 2007 breach of 45.6 million card accounts. "This is TJX on steroids," Paul Davie, COO of database management company Secerno, told USA Today.

The company says it has closed the security hole that cybercriminals exploited to install spying software. But that may not be enough to save Heartland from the consequences of the data breach, says the Associated Press.

The company will likely have to pay big penalties to banks to reimburse the cost of issuing new cards, and analysts say the intrusion could even threaten the company's survival if the big card brands decide to cut off Heartland from connecting to their networks.

One big payment processor, CardSystems Solutions, went under after a 2005 data breach in which 40 million credit card accounts were compromised and the big card brands stopped doing business with CardSystems. Representatives for Visa Inc. and MasterCard Inc. declined to comment.

Others like Jaikumar Vijayan of has another gripe: he wonders if Heartland released news of the breach on Inauguration Day when it knew the media and the public's concentration would be on the swearing-in of President Barack Obama.

George Hulme called Heartland's disclosure of the breach on Inauguration Day "a cheap PR stunt."

Heartland has created a Web site for cardholders to learn more information about the breach. You can access it here.


View Recent News (by day)


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.