A security breach has occurred and our credit cards have been targeted with malicious software that was light-years more sophisticated than malevolent programs commonly downloaded from the Internet. This includes Visa, Mastercard, and American Express, according to The Wall Street Journal.
A New Jersey credit-card processor disclosed a data breach that analysts said may rank among the biggest ever reported.
Heartland Payment Systems Inc. said Tuesday that cyber criminals compromised its computer network, gaining access to customer information associated with the 100 million card transactions it handles each month.
The company said it couldn’t estimate how many customer records may have been improperly accessed, but said the data compromised include the information on a card’s magnetic strip — card number, expiration date and some internal bank codes — that could be used to duplicate a card.
Heartland, of Princeton, N.J., processes transactions for more than 250,000 businesses nationwide, including restaurants and smaller retailers.
Avivah Litan, an analyst at research company Gartner, called it the largest card-data breach ever, based on her conversations with industry executives. Previously, the largest known breach occurred when around 45 million card numbers were stolen from retail company TJX Cos. in 2005 and 2006.
Robert Baldwin, Heartland’s president and chief financial officer, said it was too early to say how many records were accessed and that calling it the largest-ever breach would be “speculative.”
Representatives of Visa Inc. and MasterCard Inc. alerted Heartland to a pattern of fraudulent transactions on accounts the processor handled sometime last fall, Mr. Baldwin said. But an internal investigation and audits failed to detect a security breach.
Last week, however, a forensic investigator discovered evidence of the breach. Mr. Baldwin said Heartland was targeted with malicious software that was “light-years more sophisticated” than malevolent programs commonly downloaded from the Internet.
Heartland said it has removed the malware and is working with the U.S. Secret Service to investigate the incident.
John Kindervag, an analyst at Forrester Research, also said Heartland’s breach may be the largest ever, though it’s too soon to know. He said the data the criminals accessed — called “track data” in the industry — are the equivalent of the crown jewels since criminals can use the information to make fake cards.
Mr. Kindervag said such breaches can cost $300 to $600 per account in fraudulent purchases, fees and legal costs. That could put the price of this breach in the hundreds of millions of dollars. Such costs would be spread among banks and other companies in addition to Heartland.
In December, another payment processor, RBS WorldPay, a division of Royal Bank of Scotland Group, announced that its systems had been breached.
More than 40 states have laws that require businesses to disclose when sensitive information may have been accessed by an unauthorized party. In 2008, 656 such incidents were reported, according to the nonprofit Identity Theft Resource Center, up from 446 in 2007.
(Source: Wall Street Journal)