According to a press release from Heartland Systems, a payment card processor, their data has been being compromised since sometime last year. According to the site set up to cover the incident, they promptly notified the Secret Service and hired two teams of forensic computer investigators to look into the case.
Heartland was initially notified by Visa/Mastercard of suspicious activity, which led to malicious software being discovered in their system. The malware in question was harvesting and (obviously) transmitting data. In the press release, they state they believe the breach has been contained. Heartland claims no merchant data, social security numbers or unencrypted PINs were compromised. They were also quick to add that their check management systems, Canadian payroll, campus solutions, micropayments operations and recently acquired Network Services and Chockstone processing platforms had not been compromised, either.
It should be noted that in previous breaches, additional items were later discovered to have been compromised as the investigation progressed.
Brian Krebs at the Washington Post interviewed Robert Baldwin, Heartland's president and chief financial officer, who stated they don't know how many transactions were compromised. In the interview, Baldwin pointed out that since the card numbers compromised didn't have address information; it would be hard for fraudsters to use them in card-not-present (e-commmerce) transactions. Most e-commerce platforms validate the address tied to the card as a security measure. I thought about this for a second and remembered that Visa/Mastercard had warned Heartland about suspicious transactions. If there were suspicious transactions, I would deduct someone is using this data to commit fraud. Besides that, I doubt anyone sophisticated enough to pull this off would go to all this trouble (and potential legal exposure) if they couldn't use the information to make money. This is another thing that might suggest additional information will be discovered as the investigation progresses.
In the interview, Baldwin declined to name any of their customers, who were compromised. Heartland processes payments for about 250,000 customers and processes about 100 million transactions per month. He also said they will not be offering identity theft protection since not enough information was stolen to commit identity theft.
On the Truston blog, Tom Fragala, aptly pointed out that this equates to four billion transactions a year. Many are speculating that this will turn out to be the largest known data breach in history. Tom's company, which offers a privacy-friendly identity theft prevention and recovery service, offers a 45 day free-trial of their services. Even after the 45 days, the prevention part of the service is free.
Tom blogs on matters like this and wrote an interesting article pointing out the consumer protection features of debit and credit cards. Please note, debit cards offer less protection. The point is that if a card owner doesn't discover the fraud in a specified time period, they can be held liable for the financial loss. It's probably a good time for everyone to pay attention to their statements, carefully.
Article comments