[Infowarrior] - Payment Processor Breach May Be Largest Ever

Richard Forno rforno at infowarrior.org
Tue Jan 20 19:02:17 UTC 2009 

Payment Processor Breach May Be Largest Ever

http://voices.washingtonpost.com/securityfix/2009/01/payment_processor_breach_may_b.html?hpid=topnews

A data breach last year at Princeton, N.J., payment processor  
Heartland Payment Systems may have led to the theft of more than 100  
million credit and debit card accounts, the company said today.

If accurate, such figures may make the Heartland incident one of the  
largest data breaches ever reported.

Robert Baldwin, Heartland's president and chief financial officer,  
said the company, which processes payments for more than 250,000  
businesses, began receiving fraudulent activity reports late last year  
from MasterCard and Visa on cards that had all been used at merchants  
which rely on Heartland to process payments.

Baldwin said 40 percent of transactions the company processes are from  
small to mid-sized restaurants across the country. He declined to name  
any well-known establishments or retail clients that may have been  
affected by the breach.

Heartland called U.S. Secret Service and hired two breach forensics  
teams to investigate. But Baldwin said it wasn't until last week that  
investigators uncovered the source of the breach: A piece of malicious  
software planted on the company's payment processing network that  
recorded payment card data as it was being sent for processing to  
Heartland by thousands of the company's retail clients.

Baldwin said Heartland does not know how long the malicious software  
was in place, or how many accounts may have been compromised. The  
stolen data includes names, credit and debit card numbers and  
expiration dates.

"The transactional data crossing our platform, in terms of  
magnitude... is about 100 million transactions a month," Baldwin said.  
"At this point, though, we don't know the magnitude of what was  
grabbed."

The company stressed that no merchant data or cardholder Social  
Security numbers, unencrypted personal identification numbers (PIN),  
addresses or telephone numbers were jeopardized as a result of the  
breach.

The data stolen includes the digital information encoded onto the  
magnetic stripe built into the backs of credit and debit cards. Armed  
with this data, thieves can fashion counterfeit credit cards by  
imprinting the same stolen information onto fabricated cards.

"The nature of the [breach] is such that card-not-present transactions  
are actually quite difficult for the bad guys to do because one piece  
of information we know they did not get was an address," Baldwin said.  
As a result, he said, the prospect of thieves using the stolen data to  
rack up massive amounts of fraud at online merchants "is not  
impossible, but much less likely."

Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing  
of Heartland's disclosure -- a day in which many Americans and news  
outlets are glued to coverage of Barack Obama's inauguration as the  
nation's 44th president.

"This looks like the biggest breach ever disclosed, and they're doing  
it on inauguration day?" Litan said. "I can't believe they waited  
until today to disclose. That seems very deceptive."

Officials from the U.S. Secret Service could not be immediately  
reached for comment.

Baldwin said Heartland worked to disclose the breach last week.

"Due to legal reviews, discussions with some of the players involved,  
we couldn't get it together and signed off on until today," Baldwin  
said. "We considered holding back another day, but felt in the  
interests of transparency we wanted to get this information out to  
cardholders as soon as possible, recognizing of course that this is  
not an ideal day from the perspective of visibility."

The Heartland disclosure follows a year of similar breach disclosures  
at several major U.S. cards processors. On December 23, RBS Worldpay,  
a subsidiary of Citizens Financial Group Inc., said a breach of its  
payment systems may have affected more than 1.5 million people.

In March 2008, Hannaford Brothers Co. disclosed that a breach of its  
payment systems -- also aided by malicious software -- compromised at  
least 4.2 million credit and debit card accounts.

In early 2007, TJX Companies Inc., the parent of retailers Marshalls  
and TJ Maxx said a number of breaches over a three-year period exposed  
more than 45 million credit and debit card numbers.

In 2005, a breach at payment card processor CardSystems Solutions  
jeopardized roughly 40 million credit and debit card accounts.

More information about the Infowarrior mailing list