RealTime IT News

Cyber Thieves Hit Payment Processor Heartland

For the second time in a month, a payment processor has reported being hit by data thieves.

This time, the victim is Heartland Payment Systems, one of the five largest payment processors in the United States. Heartland (NYSE: HYP) has not disclosed how many people were affected by the security breach, which it said may have begun in 2008 and was only uncovered last week.

According to Heartland, the scope of the data loss is still being assessed. Credit card account numbers, expiration dates and, in some cases, cardholders' names, were stolen in the attack, Nancy Gross, a Heartland spokesperson, told InternetNews.com. However, the company does not yet know how many cardholders or businesses were impacted. The 12 -year-old payment processor serves 250,000 business locations and more than four billion transactions every year, according to its Web site.

"The investigation is still ongoing and we have very far from complete information," Gross said.

Revelations about a similar data theft at another firm surfaced last month, when RBS WorldPay disclosed that it had suffered a data breach in November that compromised more than a million customers' records.

In the newest data breach, Heartland’s Gross said that a keystroke logger had been found in the company’s card processing system. But according to a Web site that Heartland set up to handle matters relating to the breach, none of its check management or other systems had been affected, so the attackers did not gain access to merchant data or cardholders' Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers.

Still, some observers are worried.

"What's interesting is what's missing" from Heartland's disclosure, Mark Bower, director of information protection solutions at e-mail and database encryption software vendor Voltage Security, told InternetNews.com. "It doesn't say that cardholders' credit card numbers or credit information was actually not breached."

Robert Baldwin, the company's president and chief financial officer, said in a statement on its Web site that Heartland notified federal law enforcement about the breach, and that it also has alerted the issuers of the various cards it processes.

He also said that this incident may be the result of a widespread global cyber fraud operation and that Heartland is cooperating with the United States Secret Service and the Department of Justice (DoJ).

The company said on its breach-related Web site that it discovered the breach after auditing its systems last week, following alerts from MasterCard and Visa about suspicious card transactions in autumn.

However, Gross said that Heartland does not know precisely when the breach actually began.

"We were alerted by Visa and MasterCard late in the fall and we then enlisted the help of several forensic auditors who were charged to conduct a thorough investigation," she said. "But nothing came up until last week."

Page 2: Next steps for Heartland -- and the industry