Major credit card processing firm hit by hackers
Fraudsters could be able to duplicate millions of credit cards after breaking into a major card processing firm’s system. The breach at Heartland Payment Systems may be the largest such data loss in history.
Robert Baldwin, the president and chief financial officer of Heartland, says the company began receiving reports of fraudulent transactions at client businesses late last year. It informed the Secret Service and hired forensics teams to investigate. At some point last week it confirmed that a rogue data capture program had been inserted into its processing network.
The New Jersey firm – whose slogan is ‘The Highest Standards, The Most Trusted Transactions’ — processes transactions for more than 250,000 businesses, around 40,000 of which are small to medium sized restaurants. The firm is refusing to name any of its clients, arguing that with so many firms involved it would be unfair to risk tainting a well-known chain.
The data that may have been stolen is that which is built in to the magnetic strip on the back of cards including the card number and expiry date, though not information such as the cardholder’s address or social security details. This means that fraudsters would struggle to use them for online purchases and will instead likely use the details to print bogus cards to use in stores.
Heartland has created a dedicated Web site to reassure customers at http://2008breach.com/. However, at the time of writing both this and Heartland’s main Web site were unavailable, presumably because of excess demand. Disclosure laws in more than 30 states mean that once the full details of the attack are known, Heartland will have to notify cardholders whose data was vulnerable.
Customers should be protected from most losses: federal laws limit customer liability for fraudulent transactions and many banks will not charge customers at all unless they’ve been negligent. There’s not a great deal cardholders can do until they hear anything from Heartland or their card provider. However, it’s worth keeping a closer eye then usual for unfamiliar transactions on statements, particularly for small amounts which may indicate a fraudster checking a card is active before attempting to cash in.
Given that the problem was known about by Heartland management for some time and the breach was confirmed last week, there’s some suspicion about the timing of the announcement, which came the day of Barack Obama’s inauguration. Heartland insists it wasn’t an attempt to bury the news and says it was simply unable to get legal clearance to announce the details earlier.
The breach is likely the biggest credit card data loss ever. The previous record belonged to retailer TX Maxx when details of 45 million cards were exposed.
Related Posts:
January 21st, 2009
In the realm of risk, unmanaged possibilities become probabilities: Most breaches are due to a lagging business culture. As CIO, I’m always looking for ways to help my teams. Required reading is “I.T. WARS: Managing the Business-Technology Weave in the Millennium.” I like to pass along things that work, hoping good ideas make their way to me.
January 21st, 2009
>it was simply unable to get legal clearance to announce the details earlier
I’ve heard that one before.