It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Payment Processor Breach May Be Largest Ever
A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have compromised tens of millions of credit and debit card transactions, the company said today.
If accurate, such figures may make the Heartland incident one of the largest data breaches ever reported.
Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing of Heartland's disclosure -- a day in which many Americans and news outlets are glued to coverage of Barack Obama's inauguration as the nation's 44th president.
"This looks like the biggest breach ever disclosed, and they're doing it on inauguration day?" Litan said. "I can't believe they waited until today to disclose. That seems very deceptive."
"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said. As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants "is not impossible, but much less likely."
The company did not respond to several phone calls and e-mails Wednesday seeking further details.
"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," he said.
Heartland says it has closed the security hole that allowed criminals to infiltrate their systems, but the matter is far from settled. The company will likely have to pay big penalties to banks to reimburse the cost of issuing new cards, and analysts say the intrusion could even threaten the company's survival if the big card brands decide to cut off Heartland from connecting to their networks.
Heartland says it doesn't know yet how much data was stolen, since the malicious program was capturing data as it flowed across the network, and in that type of intrusion it's hard to figure out how much data was snatched in transit by the interlopers. But the potential damage could be very large because Heartland processes 100 million transactions a month, mostly for small to medium-sized businesses.
Robert Baldwin, Heartland's president and chief financial officer, said the thieves accessed a part of Heartland's network that handles transactions for 175,000 of the 250,000 merchants the company works with. He said the program slipped past Heartland's antivirus software and was able to read data in unencrypted form as it was passed from Heartland to the card brands.
"Unfortunately the bad guys are very, very good," he said. "The malware we encountered did not, and does not, get very well captured by antivirus software, so it's a challenge we're going to have to keep working as an industry to combat."
Heartland hasn't identified the merchants that may have been affected by the breach, so it's difficult for consumers to identify whether they might be victims of fraud.