Heartland Update: Banks, Credit Unions Alert Customers to Breach

Heartland Update: Banks, Credit Unions Alert Customers to Breach
There are at least six institutions so far that have found out their customers' credit or debit cards could have been compromised as part of the Heartland Payment Systems breach.

Heartland (HPY), the sixth-largest payments processor in the U.S., announced earlier this week that its processing systems were breached in 2008, exposing an undetermined number of consumers to potential fraud. Headquartered in Princeton, NJ, Heartland handles approximately 100 million transactions per month, although the number of unique cardholders is much lower. Heartland Payment Systems data breach coverage

Reporting that they were contacted by VISA and Mastercard as a result of the Heartland breach are:

Kennebec Savings Bank, Augusta, ME;
Forcht Bank, Kentucky;
GFA Federal Credit Union, Gardner, MA;
TD Bank and TD Bank North, Portland, ME;
PeoplesChoice Credit Union, Saco, ME.

Some of the institutions have reissued credit cards already; others have said they are using fraud detection tools to monitor cards.

Heartland says it continues to assess the damages inflicted by the attack. Robert Baldwin, the company's president and CFO, says law enforcement has already noted that the attack against his company is part of a wider cyber fraud operation. "It is still a question as to the percentage of the data flow they were able to get," Baldwin says, adding he would not speculate on the number of cards potentially exposed.

"The indication that it is tied to wider cyber fraud operation comes directly from conversations with the Department of Justice and the U.S. Secret Service," Baldwin says. The company says it believes the breach has been contained. Heartland says it was certified as PCI compliant in April 2008 by a PCI Security Council qualified independent risk assessor.

Specifics surrounding when the breach occurred are still being analyzed. But Baldwin says two forensic auditing teams have been working on the breach analysis and investigation since late 2008, after Heartland received the notification from Visa and MasterCard. The investigation began immediately after the credit card companies told Heartland they saw suspicious activity surrounding processed card transactions. Described by Baldwin as "quite a sophisticated attack," he says it has been challenging to discover exactly how it happened.

The forensic teams found that hackers "were grabbing numbers with sniffer malware as it went over our processing platform," Baldwin says. "Unfortunately, we are confident that card holder names and numbers were exposed."

Data, including card transactions sent over Heartland's internal processing platform, is sent unencrypted, he explains, "As the transaction is being processed, it has to be in unencrypted form to get the authorization request out."

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems. The company delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide.

Baldwin says the company moved quickly to announce the breach. "It is important to get it out, but leaves us with incomplete information for our customers until the investigation is complete," he says. For more information on the breach, the company has set up a website: www.2008breach.com. Heartland advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.