Heartland Data Breach: Institutions Still Feel the Sting
Tampa Credit Union is Latest Victim; Notifies 56,000 Members of Potential CompromiseSuncoast Schools Federal Credit Union discovered only at the end of May that some of its customers could be in danger from the payments processor breach in which customer account data from millions of credit and debit card transactions was exposed. The credit union is issuing new cards to all members whose accounts were compromised. Fewer than 1,000 members were actually affected by fraud as of last week, according to Melva McKay-Bass, senior vice president of member service operations for Suncoast.
Suncoast Schools FCU, with 450,000 members, has 50 locations in central Florida and reported nearly $5.9 billion in assets in 2008.
The credit union began notifying members via mail in the first week of June, says McKay-Bass. "It was not a Suncoast exclusive event, nor was it through any fault of our own," McKay-Bass told the St. Petersburg Times. "It was not anything that we had done wrong."
McKay-Bass says the Heartland breach only resulted in encrypted card data being compromised -- not members' personal information.
Heartland found malicious software on its system in January 2009 after an exhaustive investigation which began in Fall 2008. After receiving reports from card brands about anomalies, Heartland immediately began a comprehensive forensic investigation. Initial findings suggested that Heartland's system was not the source of anomalies, states Heartland's spokesperson. Later, in January, Heartland's forensic team located the malware.
Data, including card transactions sent over Heartland's internal processing platform, was sent unencrypted. No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems. The company delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide.
Suncoast is among more than 665 institutions that have reported having cards affected because of Heartland. More institutions may find themselves in a similar situation, notes Gartner Research distinguished analyst Avivah Litan.
"The fraudsters have long staying power - they typically steal millions or hundreds of thousands of cards at a time and wait sometimes up to a year or more to use them all," Litan says. "So we may be living with the fallout from the Heartland breach for a year or more to come."