A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have compromised tens of millions of credit and debit card transactions, the company said today.
If accurate, such figures may make the Heartland incident one of the largest data breaches ever reported.
Robert Baldwin, Heartland’s president and chief financial officer, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments.
Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country.
Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.
Just when I thought my faith in financial institutions couldn’t get any lower…
I’m surprised that any financial transactions can even take place over the interwebbitudes–even when I make a small purchase from Newegg I marvel the entire system isn’t totally compromised. Never thought about the servers and whatnot.
Can the interwebitudes EVER be secure over the long haul? I assume they can be “safe” for awhile but that the every now and then breach would make the system too insecure for daily use.
What do our experts know about this?
Targeted attack. I remember warning of this several years ago. Relatively simple to pull off. There are undoubtedly many more that go undetected.
“Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing of Heartland’s disclosure — a day in which many Americans and news outlets are glued to coverage of Barack Obama’s inauguration as the nation’s 44th president.”
A really relavant, insightful remark. Heartland also said it would be irresponsible to name any of the companies that it processes transactions for. How thoughtful of them.
Not only do they try to obscure the breach, they won’t let you know if you might be compromised.
In comments to the original article, someone asked if this were a gift from China. I believe it’s more likely to be Russian organized crime, although since the story is woefully short of details, it could easily have originated right here in the U.S.
When I use a credit card on the net, I download a one-use card from a FireFox PayPal addon. Plus, I use a digital number generator along with my password to log on. Pretty secure.
Fols who don’t know anything about credit card processing are jumping to ignorant conclusions. Doesn’t make the theft any less critical; but, Heartland isn’t especially processing Internet transaction except insofar as people happen to buy on the Web in addition to B&M.
They process credit card transactions for merchants. That’s anywhere and everywhere.
“Outsourcing”? Merchants can’t take a credit card all the way through to your original account. Neither, of course, can your local bank. Not since maybe 1955.
Retailers have used whichever service producer their own bank relies on for decades. It’s how the credit card is processed. How they get your payment.
# 6 hhopper said, “When I use a credit card on the net, I download a one-use card from a FireFox PayPal addon.”
Won’t help you in this case…
Didn’t they do this in Superman 3?
Just kidding. Love Office Space…
The real controversy here is that a company in Jersey is calling itself Heartland Payment Systems.
Ah ha! Now we know how that ex-KGB spy may have gotten so rich. You can bet it not just a bunch of bored kids behind this breach.
And why are these billing outfits allowed to operate with so little quality and security assurance? Shouldn’t there be some kind of Federal Inspection program in effect, to make sure they haven’t let credit card data leak out like a sieve? Or is it all just put together on the merit system? Trust that it’s all going to be fine, and it will be. So apparently nobody periodically checks what’s running on these payment servers. Or has any kind of watchdog software to detect extra tasks running, than what’s been cleared. Ya know, for all the damn money this industry is making. Why the hell can’t it spend some of it on having some watch a computer screen 24/7, to catch these intrusions?! Apparently outsourcing to this lowest bidder payment processor, is Visa and MasterCard’s way of thanking their customers for the high rates they stuck them with. While saving lots more profit, so they can return it to their top executives and major shareholders.