Payment Processor Heartland Reports Breach
Wisconsin Republican Gov. Scott Walker waits in line to vote Tuesday, June 5, 2012, in Wauwatosa, Wis. Walker faces Democratic challenger Tom Barrett in a special recall election. / AP
Heartland Payment Systems, which processes payroll and credit card payments for more than 250,000 businesses, reported Tuesday that consumer credit card data was exposed in what may be the largest security breach ever.
In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion last week and immediately notified law enforcement and credit card companies.
Robert H.B. Baldwin Jr., president and chief financial officer of Heartland, told CNET News he did not know how many credit and debit card accounts may have had their information exposed. The company handles 100 million transactions per month but does not know exactly how many unique cards or consumers that translates to, he said.
"We could do that analysis but we have not done it," Baldwin said. "The question is what percentage of transactions did the malware capture and what percentage got out to the bad guys?"
He also would not say when the malware arrived in its system. "We have suspicions as to when, but can't nail that down. We're still working on how" the malware got there, he added. "We believe the intrusion is contained."
"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," Baldwin said in the statement.
No merchant data, cardholder Social Security numbers, or unencrypted PINs, addresses, or telephone numbers were exposed, the company said.
Heartland was alerted in the late fall to suspicious activity surrounded processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, Baldwin said.
The company said it will implement a system to flag anomalies in real time and created a Web site to provide information on the breach to customers, who will not be held responsible for fraudulent charges.
Baldwin dismissed any notion that the announcement of the breach was timed so that it could be buried by the inauguration news. "We've been working to get enough facts together," he said.
Previously, the largest breach was the 45.7 million credit and debit card numbers reported compromised in 2007 by TJX, which owns retailers TJ Maxx and Marshalls. TJX settled a class action lawsuit in that case. Eleven people, from the U.S., Europe and China, were charged in the case.
Reports of data breaches in the United States increased 47 percent in 2008 from the year before, the nonprofit Identity Theft Resource Center reported in a study released two weeks ago. About 14 percent of the breaches were due to hacking, the report said.
By Elinor Mills
CNET In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion last week and immediately notified law enforcement and credit card companies.
Robert H.B. Baldwin Jr., president and chief financial officer of Heartland, told CNET News he did not know how many credit and debit card accounts may have had their information exposed. The company handles 100 million transactions per month but does not know exactly how many unique cards or consumers that translates to, he said.
"We could do that analysis but we have not done it," Baldwin said. "The question is what percentage of transactions did the malware capture and what percentage got out to the bad guys?"
He also would not say when the malware arrived in its system. "We have suspicions as to when, but can't nail that down. We're still working on how" the malware got there, he added. "We believe the intrusion is contained."
"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," Baldwin said in the statement.
No merchant data, cardholder Social Security numbers, or unencrypted PINs, addresses, or telephone numbers were exposed, the company said.
Heartland was alerted in the late fall to suspicious activity surrounded processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, Baldwin said.
The company said it will implement a system to flag anomalies in real time and created a Web site to provide information on the breach to customers, who will not be held responsible for fraudulent charges.
Baldwin dismissed any notion that the announcement of the breach was timed so that it could be buried by the inauguration news. "We've been working to get enough facts together," he said.
Previously, the largest breach was the 45.7 million credit and debit card numbers reported compromised in 2007 by TJX, which owns retailers TJ Maxx and Marshalls. TJX settled a class action lawsuit in that case. Eleven people, from the U.S., Europe and China, were charged in the case.
Reports of data breaches in the United States increased 47 percent in 2008 from the year before, the nonprofit Identity Theft Resource Center reported in a study released two weeks ago. About 14 percent of the breaches were due to hacking, the report said.
By Elinor Mills
Popular in SciTech
- Oops! The five greatest scientific blunders
- Apple's next iPhone may be coming in June
- Thousands online proclaim: Jahar Tsarnaev is innocent
- 40 years later: Why the Endangered Species Act still matters
- Beam this up: Creating the sounds of "Star Trek"
- Zynga demands employees return stock or get fired
- Alternatives to Google Reader
- The 25 most common passwords of 2012
Wow...what is their definition of "immediately"? The breach occurred last year and just because they "found evidence" of the intrusion last week, that makes it immediate? They know they''re going to be sued, so why bury it? So the hackers have a really good chance of using that information and not get caught? Now they tell everyone to check your credit card bills closely...nothing like immediate action. Heartland is just as guilty as the hackers.