Digital Transactions Authoritative, insightful and timely information for payments professionals
Four computers containing Social Security and bank-account numbers for an estimated 2,200 individuals have been stolen from a California office of merchant processor Heartland Payment Systems Inc.’s payroll-processing division, Heartland reported Monday.
Also on Monday the PCI Security Standards Council updated its rules governing payment card software. And in other security news, Sally Beauty Holdings last week confirmed that it has suffered another data breach, the retailer’s second in less than 18 months.
• Heartland. Merchant processor Heartland spent years upgrading its security systems, technology, and reputation after reporting in early 2009 what became known as the largest breach in card-industry history, with 130 million card numbers compromised. Late Monday, the Princeton, N.J.-based company confirmed what apparently is a far smaller compromise—the theft of 11 password-protected desktop computers from an office of its payroll-processing division in Santa Ana, Calif.
Four of them “may have contained” personally identifiable information, according to a Heartland release. Heartland says it has notified 2,200 individuals that their information could have been affected.
The release doesn’t say what the personal data is, but a Heartland form letter for payroll clients to inform their employees about the breach, posted on the California Attorney General’s Web site, says the computers may have contained Social Security numbers and bank-account numbers.
As is often the case with data compromises, much of the publicly released information is vague or incomplete. The Heartland release says the four computers in question “were not connected to any other Heartland office, business, system, or server.” But while the machines were password protected, it is not clear if the data on them was encrypted.
“As part of our ongoing commitment to security, Heartland has already encrypted most computers, and as we integrate acquisitions, Heartland is actively working to encrypt any remaining computers in every office that may have access to, or house, [personal identifying information] or payment data,” the release says.
The release also doesn't say when the burglary occurred. But in response to Digital Transactions News' inquiries, a Heartland spokesperson says it happened on the weekend of Feb. 21 and that local authorities contacted the company Feb. 22. Heartland completed an internal investigation May 8.
Also stolen in the burglary were televisions and LCD panels. Cpl. Anthony Bertagna of the Santa Ana Police Department says about $6,800 worth of equipment was taken in all. There were no signs of forced entry, nor was there any surveillance video of the burglary, according to Bertagna. He says a “set of items” from the office was sent to a lab for DNA testing.
Heartland says that so far there is no indication that any of the personal information was accessed or used fraudulently, or that the thieves intended to use it. In addition to local authorities, the company has notified state and federal officials.
Heartland’s Santa Ana office originally belonged to Ovation Payroll, which Heartland bought in 2013 as part of a major expansion into the payroll-services industry.
• PCI Council: As expected, the Wakefield, Mass.-based PCI Council released the latest update to its Payment Application Data-Security Standard (PA-DSS), a companion standard to the main Payment Card Industry DSS specifically for card-processing software. The update, officially PA-DSS Version 3.1, reflects many of the changes in the main standard announced earlier this year and especially takes aim at the vulnerabilities of Secure Sockets Layer encryption.
Once widely used, SSL encryption is now considered by security experts to be weak. The PCI Council wants card processors and merchants to use a stronger technology known as Transport Layer Security.
“The SSL protocol vulnerability primarily affects Web servers and browsers,” a Council release says. “If exploited, it can jeopardize the security of any payment card data being accepted or processed. Upgrading payment applications and systems to a minimum of TLS 1.1 (the successor protocol to SSL) is the only known way to remediate SSL vulnerabilities that have been most recently exploited by browser attacks, including Poodle and Beast.”
The Payment Application revision became effective Monday, but software applications already in the process of being validated against the earlier PA-DSS Version 3.0 have a transition period to upgrade.
• Sally Beauty. Denton, Texas-based Sally Beauty reported nearly a month ago that it was investigating reports of suspicious activities on cards used at its stores. On May 28, the company confirmed that malware had been installed on some of its point-of-sale systems and was operating at varying times between March 6 and April 17.
Potentially compromised data include “name, credit, or debit card number, expiration date, cardholder verification value, and service code,” Sally Beauty’s Web site says. Debit card PINs likely were not compromised, the company said. The malware has been removed.
The earlier breach compromised less than 25,000 cards.
