Digital Transactions Authoritative, insightful and timely information for payments professionals
Merchant acquirer Heartland Payment Systems Inc. reported on Tuesday that it has found malicious software on its processing system, the result of a breach that happened in 2008 but which Heartland says is now contained. The malware captured an unknown quantity of card numbers and expiration dates along with a lesser amount of cardholder names linked to the numbers. That has led to an undetermined amount of fraud, Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer, tells Digital Transactions News. Coming shortly after the RBS WorldPay breach, Heartland's is the second disclosure in less than a month of a compromise at a big acquirer and a further indication that cyber criminals are turning their attention to merchant processors (Digital Transactions News, Dec. 23, 2008). This latest breach happened despite the fact that a qualified Payment Card Industry data-security standard, or PCI, assessor found Heartland in compliance with the card networks' security standards last April, according to Baldwin. A Heartland spokesperson confirms the assessor was Chicago-based Trustwave. The Heartland case indicates criminals are finding ways to circumvent PCI protections. Last March, grocery chain Hannaford Bros. Co. disclosed a breach that exposed 4.2 million credit and debit card numbers, despite its compliance with PCI (Digital Transactions News, March 18, 2008). Baldwin says Heartland did not store payment card numbers, a common but far from the only source of data thefts. “It's fair to say that the sophistication of this attack was sufficient that the fact of our PCI compliance … [was] inadequate enough to stop it,” Baldwin says. “I think it says a lot about the bad guys.” After bringing in outside investigators and immediately reporting the breach to the U.S. Secret Service and U.S. Justice Department upon confirming it last week, Heartland in a news release today described the incident as the possible work of “a widespread global cyber fraud operation.” Baldwin wouldn't disclose further details, but says so far there is no evidence the malware's placement was the work of a disgruntled employee or contractor familiar with the company. “All indications are” that it was planted from outside, he says, adding that he can't speculate on whether Heartland's breach has links to the RBS WorldPay breach. Princeton, N.J.-based Heartland is one of the nation's largest acquirers, processing for about 250,000 merchant locations. It has a number of business units, including its so-called Network Services segment serving mostly petroleum retailers that Heartland bought last year from Alliance Data Systems Corp. The malware was placed on a system for processing card transactions from about 155,000 mostly small and mid-sized business locations, many of which are restaurants. Restaurants have a comparatively high rate of data breaches, but Baldwin says the incident did not involve merchants. “This malware was designed to capture the transaction as it was being processed in our system,” he says. “This was inside our firewalls; this was not at all at a merchant location.” Visa Inc. and MasterCard Inc. first alerted Heartland of suspicious transactions late in the fall, according to Baldwin. The ensuing investigation did not uncover the usual suspect?a common point of purchase linking the fraud. That led to a more difficult investigation, essentially consisting of two audits, to a find common point of processing, says Baldwin. The probe finally pointed to Heartland's system and led to the discovery of the malware. Asked when the malware was planted, Baldwin says, “we have some strong suspicions, but at this point it's still speculative. This was a sophisticated attack.” After obtaining approvals from affected parties, Tuesday “was the earliest we could get” the news disclosed publicly, he adds. The breach could be large, according to Avivah Litan, a technology and security analyst at Stamford, Conn.-based Gartner Inc. “Very credible sources tell me this could be at least as big as TJX,” she says, refusing to identify the sources. The breach retailer TJX Cos. disclosed two years ago compromised nearly 46 million card numbers by TJX's admission and possibly close to 100 million in the opinion of an outside security expert (Digital Transactions News, Oct. 25, 2007). “We can't speculate about the size of the breach,” Baldwin says, but he adds that the affected system handles about 100 million transactions a month from a “significantly” smaller number of cards. He hopes to have more on the total amount of fraud soon from the card networks. The data thefts were the kind that would enable fraudsters to produce so-called white cards that could be used at unattended locations, Baldwin says. Heartland says it has purged the malware and taken other steps to enhance system security. “In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals,” Tuesday's release says. The processor has set up a Web site at www.2008breach.com to post information about the breach. Heartland is a non-bank acquirer that uses Cleveland-based KeyBank as its primary sponsor into the Visa and MasterCard networks. Its other sponsor is its former co-owner, St. Louis-based Heartland Bank.
