Banks’ Card Reissuance Indicates Probable Scope of Heartland Breach

As merchant acquirer Heartland Payment Systems Inc. and federal investigators continue to probe the data breach Heartland disclosed on Tuesday, evidence is building that banks and credit unions around the country are reissuing cards on a mass scale as a likely result of the breach. That could give credence to early speculation that Heartland's will go down as a huge data breach–one of the largest, if not the largest, so far. Reports of actual fraud, however, are still minimal. Local press accounts picked up by Digital Transactions News show financial institutions across the country started monitoring accounts for fraud or reissuing cards after being alerted recently by Visa Inc., MasterCard Inc., or other payment networks of compromised credit and debit card numbers. Alerts started coming before Heartland went public. While public confirmation of a link between banks' recent alerts and the Heartland breach is still lacking, bankers say Heartland is likely the source of the compromised numbers. In addition, CardCops Inc., which monitors the Internet underworld of card fraudsters, says it noticed in recent months a 20% increase in the number of test authorizations fraudsters were doing on newly acquired card numbers, a possible sign of a large breach. Lexington, Ky.-based Forcht Bank N.A. is in the process of reissuing 8,500 of the 22,000 cards in its MasterCard debit portfolio after being warned on Jan. 10 by the Star electronic funds transfer network of a possible compromise, according to chief marketing officer Eddie Woodruff. Woodruff says he contacted Heartland on Wednesday, and while the processor would not definitively tie its breach to the compromised Forcht cards, he says “we cannot 100% confirm it, but we are at about 99% at this point. These things don't happen every day. The timing of it leads us to believe it was related to Heartland Payment Systems.” So far there's been no fraud, however. First National Bank of Hutchinson, Kan., is reissuing 1,000 Visa debit cards, about one-fifth of its portfolio, after getting a notice from Visa on Wednesday of compromised numbers, according to Carol Berger, executive vice president of retail banking. Berger wasn't the bank official who read the warning, but she believes the compromised numbers had been through Heartland's system. There hasn't been fraud on the accounts, but fraud could occur up to a year after a compromise, she says. Berger wouldn't estimate the cost of the reissuance. “It's not just the cost of the card, but there's the time involved,” she says. “The thing that worries us the most is the inconvenience to the customer.” Last weekend, Kennebec Savings Bank in Augusta, Maine, said it had informed about 1,500 customers that their debit card numbers might have been compromised in a security breach MasterCard reported to the bank, according to a local newspaper report. The bank said at the time that it didn't know if the breach originated with a retailer or processor, and that it would not automatically reissue cards because it hadn't received any reports of fraud. A bank executive did not return a call from Digital Transactions News. Visa and MasterCard clients collectively had 1.04 billion credit and debit cards in issue in the U.S. as of mid-2008. The Heartland breach would have to cause the reissuance of 10% of that base to surpass the data leak at off-price retailer TJX Cos. as the biggest ever. After disclosing its breach in early 2007, TJX said it may have compromised nearly 46 million card numbers, but an outside expert put the number at more than 90 million. Even if the actual number comes in much lower at Heartland than at TJX, the potential for fraud losses is still high. Since they were captured at authorization, the great majority of the numbers from Heartland probably were current, whereas a big share of the compromised numbers at TJX were expired. Heartland says so-called malicious software, or malware, was secretly planted in one of its computer platforms that handles 100 million transactions a month from about 175,000 small and mid-sized merchant locations (Digital Transactions News, Jan. 20). Possibly installed as far back as May, according to The New York Times, what is being described as a “sniffer” program captured card numbers, expiration dates and some cardholder names while they were in transit and unencrypted during authorizations. Heartland learned of a problem late last fall after being alerted by the card networks, but says it took until last week to locate the malware. A Heartland spokesperson tells Digital Transactions News late Thursday that the company's investigation has not yielded any new information. If small financial institutions are reissuing cards for sizable shares of their portfolios, it seems likely big issuers are too. But apart from saying they'll take appropriate steps to protect cardholders if they detect misuse of accounts, the nation's largest banks?Citigroup Inc., JPMorgan Chase & Co., and Bank of America Corp.?are saying little about the Heartland breach, citing concerns about compromising the investigation. A spokesperson says Citi is referring customers to a Heartland Web site, http://www.2008breach.com, that the processor set up to dispense information. MasterCard also won't say much because of the ongoing investigation. “Fraud patterns recognized through our aggregated fraud data as well as data reported to us by customers subsequently led us to initiate a dialog with Heartland Payment Systems,” a spokesperson says by e-mail today. “In turn, Heartland had its systems examined, which resulted in the identification of malware.” Visa would not comment late Wednesday. Dan Clements, president of CardCops, says he isn't surprised by the Heartland breach. He says his Trumbull, Conn.-based organization over the past six months has noticed in underworld chat rooms and fraudster sites clusters of compromised cards that upon investigation turn out not to have any merchant location in common. “What that tells us is the compromise is upstream [from merchants],” Clements tells Digital Transactions News. “It's a processor, or a financial institution, or a postal carrier.” Hackers, he says, are now targeting processors and other places where card data are aggregated. “They're going for the big fish, clearly,” he says. “This is a nefarious attack on the payment system, end of story,” adds Mountain Home, Ark.-based merchant-processing consultant Paul Martaus. “This is serious stuff.”