Heartland Payment Systems disclosed little information in a press release regarding a security breach that they discovered last week. The company provides “credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide”.
The lack of information in the release is curious, because the news was released right on Jan. 20th, buried amongst the media focus on the new president, and the release contains little details on what may potentially be the largest known breach to date.
“Payments processor Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. Heartland believes the intrusion is contained.”
“We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands,” said Robert H.B. Baldwin, Jr., Heartland’s president and chief financial officer. “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.”

It’s interesting and eye-opening that the company did not have systems in place to identify the breach themselves. They were tipped off to it by Visa and MasterCard:
“After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.”

“Heartland apologizes for any inconvenience this situation has caused. Heartland advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.”

We will monitor for more information regarding the malware itself. However, further details will most likely not be released in the midst of an ongoing investigation.

This entry was posted on Thursday, January 22nd, 2009 at 10:04 am and is filed under Disclosure, Security breach, Undetected malware, cybercrime. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.