No Confirmation So Far for Multiple Reports of Another Breach

Reports of yet another merchant-acquirer data breach are speeding around the Internet, but the card networks have not confirmed them publicly. Nor has any processor been identified. Merchant-acquiring sources, however, tell Digital Transaction News that multiple processors may have been breached in recent months. The non-profit Open Security Foundation, an organization of information-security specialists, reported Feb. 13 on its DataLossDB Web site that banks and credit unions had begun receiving notices of a “significant breach” unrelated to the one revealed in January by Heartland Payment Systems Inc., one of the nation's biggest acquirers. On Sunday, the OSF added some detail based on alerts from financial institutions or financial-institution organizations to their members. The Community Bankers Association of Illinois reported Feb. 12 that Visa Inc. “announced that an unnamed processor recently reported that it had discovered a data breach.” The breach supposedly affected all card brands, and hackers obtained primary account numbers (PANs) and card-expiration dates. Hackers reportedly did not get cardholder Social Security numbers, unencrypted PINs, addresses, telephone numbers, or other personal information. The attackers also did not get data from magnetic stripes, suggesting a compromise of data from card-not-present transactions?those originating over the Internet or on telephones. Some banks have seen an increase in card-not-present fraud, the notice says. A recent notice on the Tuscaloosa (Ala.) V.A. Federal Credit Union's Web site about potential card-not-present fraud says much the same thing. It also says malicious software (“malware”) was placed on the unidentified processor's systems. The Heartland breach involved malware that captured card numbers during the brief period in the transaction process while they must be unencrypted to enter the bank card networks (Digital Transactions News, Jan. 20). A spokesperson for Visa would not comment today. A source close to Visa, however, disputes the reports. “There is no new breach,” this source says. “It's being interpreted as a new breach, incorrectly.” The source would not offer details. In an e-mail message, a spokesperson for MasterCard Inc. refers to a “potential security breach affecting an acquiring processor in the United States,” and adds that MasterCard “is monitoring developments and has notified issuers of cards that were determined to be improperly accessed by an unauthorized party to monitor for any suspicious activity.” But other observers contacted by Digital Transactions News say they are hearing reports of more attacks against merchant processors. “I've heard it from a couple of sources that it's wider than Heartland,” says security and technology analyst Avivah Litan of Stamford, Conn.-based Gartner Inc. “The bigger issue is there's probably been a massive attack against the processors, but they're trying to keep it quiet.” Another source who insisted on anonymity believes at least a dozen merchant processors have been attacked. Heartland, when announcing its breach, described the incident as the possible work of “a widespread global cyber-fraud operation.” Federal authorities are investigating Heartland's breach, the extent of which is still undisclosed. Heartland faces several breach-related lawsuits and probes by the Securities and Exchange Commission, the U.S. Department of Justice, the U.S. Treasury Department's Office of the Comptroller of the Currency, and the Federal Trade Commission, company president Robert H.B. Baldwin Jr. said Tuesday during Heartland's fourth-quarter earnings conference call. The company said it might incur future losses from the breach, but it did not have enough information to make an estimate as to their amount. Heartland did cut its quarterly dividend by 72%, from 9 cents per share to 2.5 cents, in order to conserve cash. Boosted in part by its acquisition last year of Alliance Data Corp.'s Network Services petroleum and convenience-store merchant portfolio, fourth-quarter processing volumes at Heartland rose 23% to $16.5 billion. Heartland's merchants suffered a 6.8% drop in same-store sales, however, a reflection of recent reports from other acquirers about the effects of the recession. Heartland's net income rose 16.8% to $7.98 million from $6.83 million in 2007's fourth quarter, and net revenues increased 31.3% to $100.1 million from $76.2 million. But those totals fell short of Wall Street's predictions, and Heartland's stock fell 30%.