Heartland Update: Banks, Credit Unions Alert Customers to Breach
Heartland (HPY), the sixth-largest payments processor in the U.S., announced earlier this week that its processing systems were breached in 2008, exposing an undetermined number of consumers to potential fraud. Headquartered in Princeton, NJ, Heartland handles approximately 100 million transactions per month, although the number of unique cardholders is much lower.
Reporting that they were contacted by VISA and Mastercard as a result of the Heartland breach are:
Some of the institutions have reissued credit cards already; others have said they are using fraud detection tools to monitor cards.
Heartland says it continues to assess the damages inflicted by the attack. Robert Baldwin, the company's president and CFO, says law enforcement has already noted that the attack against his company is part of a wider cyber fraud operation. "It is still a question as to the percentage of the data flow they were able to get," Baldwin says, adding he would not speculate on the number of cards potentially exposed.
"The indication that it is tied to wider cyber fraud operation comes directly from conversations with the Department of Justice and the U.S. Secret Service," Baldwin says. The company says it believes the breach has been contained. Heartland says it was certified as PCI compliant in April 2008 by a PCI Security Council qualified independent risk assessor.
Specifics surrounding when the breach occurred are still being analyzed. But Baldwin says two forensic auditing teams have been working on the breach analysis and investigation since late 2008, after Heartland received the notification from Visa and MasterCard. The investigation began immediately after the credit card companies told Heartland they saw suspicious activity surrounding processed card transactions. Described by Baldwin as "quite a sophisticated attack," he says it has been challenging to discover exactly how it happened.
The forensic teams found that hackers "were grabbing numbers with sniffer malware as it went over our processing platform," Baldwin says. "Unfortunately, we are confident that card holder names and numbers were exposed."
Data, including card transactions sent over Heartland's internal processing platform, is sent unencrypted, he explains, "As the transaction is being processed, it has to be in unencrypted form to get the authorization request out."
No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems. The company delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide.
Baldwin says the company moved quickly to announce the breach. "It is important to get it out, but leaves us with incomplete information for our customers until the investigation is complete," he says. For more information on the breach, the company has set up a website: www.2008breach.com. Heartland advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers.