Hackers hack Heartland Payment credit card system
Theft could be the biggest credit card crime in history.
?? – Heartland Payment Systems hpy revealed Tuesday that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants.
Robert Baldwin, president and chief financial officer of Heartland, said in an interview with USA TODAY that intruders had access to Heartland’s system for “more weeks” at the end of 2008. The number of victims is unknown. “We just don’t have the information at the moment,” Baldwin said.
Technical security experts said the breach could set a record. Retail giant TJX lost 94 million customer records to hackers in 2007. With over 100 million transactions per month, they might find that several months of transactions have been captured, says Michael Maloof, director. of technology at TriGeo Network Security.
Heartland processes card payments for restaurants, retailers and other merchants. He discovered the hack last week after Visa and MasterCard informed him of suspicious transactions from accounts linked to his systems. Investigators then discovered the data theft program put in place by the thieves.
“Our discussions with the Secret Service and the Justice Department give us a pretty good indication that this is part of a group that appears to have committed security breaches at other financial institutions,” Baldwin said. “It’s a very sophisticated attack.” Once the issue is resolved, Heartland plans to notify every victim whose data has been stolen to comply with data loss disclosure laws in more than 30 states, Baldwin said.
“Cleaning up the mess could potentially be a lot more costly than fines or penalties,” said Michael Argast, senior analyst at security firm Sophos.
Heartland’s disclosure coincides with reports of increased criminal activity involving stolen payment card numbers. Security firm CardCops has tracked a 20% year-over-year increase in internet chat room activity where hackers test batches of payment card numbers to make sure they are active. “The numbers could come from a processor, like Heartland, or another source that has access to a lot of customer data but is not a retailer,” said Dan Clements, president of CardCops.
Additionally, Kentucky’s Forcht Bank last week began issuing replacement debit cards to 8,500 customers, amid reports of fraudulent card activity. “There are several other banks involved, and this is not restricted to customers of Forcht Bank,” the bank said in a Jan. 12 statement to customers.