Hackers Outdo Themselves with Major Breach at Heartland Payment Systems

By Dee Chisamera
14:03, January 21st 2009

Heartland Payment Systems, one of the largest credit-card processor in the country, announced a major breach in its processing system, which took place sometime in 2008 and exposed the data of a large number of consumers. The company handles the transactions of over 250,000 businesses, but would not say how many consumers may have been affected.

As far as the breach goes, the company believes the intrusion was contained. President and Chief Financial Officer Robert H.B. Baldwin, Jr. said they found evidence of the intrusion last week, after which they immediately notified the appropriate law organisms. We understand this incident may be the result of a widespread global cyberfraud operation, Baldwin said, adding that they are currently cooperating with the United States Secret Service and the Department of Justice in the investigation.

According to the company, no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach.

The company learnt about the breach after being alerted by Visa and MasterCard of suspicious activity regarding processed card transactions. After a thorough investigation, they found malicious software compromising the data on their network. The company created a website to post details on the breach.

In addition to that, the company also announced it has taken the necessary steps to secure its systems, and that it will soon implement a next-generation program designed to flag network anomalies in real-time, which will enable cyber-criminals to be apprehended.

In an interview with InformationWeek, Baldwin said the numbers of the exposed accounts are not clear yet, and what has been mentioned in the media so far is pure speculation. We just discovered this last week. We have been working around the clock to get data out to the public because it’s consequential and we think it’s important to be transparent on this, Baldwin said.

He also explained that the breach resulted from a keylogging malware that was able to pass the firewall and captured user names and passwords, although it is still hard to say to what extent.

We are really crushed by this, Baldwin further said. It’s absolutely antithetical to everything Heartland stands for. We will therefore be redoubling our efforts to be the best processor out there. We obviously are pained by the inconvenience any consumers will have and look forward to coming out of this a stronger company.

The company offered apologies for the inconveniences the situation caused, adding that they are committed to maintaining the security of cardholder data.

This incident resembles another one that was discovered in 2006, when the TJX Companies became the subject of an unauthorized intrusion into its systems, allowing sensitive customer data to be stolen. In this incident, an estimated 45.7 million credit and debit card numbers were compromised, together with almost half a million social security numbers and driver’s license numbers.