January 21, 2009
Heartland, a company that processes credit card payments for Visa and Mastercard, has revealed that hackers were successful in getting inside its systems in what may be the largest data breach ever.
Heartland processes credit cards for about a quarter of a million companies. It said it was contacted by Visa and Mastercard about suspicious activities on thousands of cards. Heartland discovered that a hacker has uploaded software that allowed the theft of data from its networks, exposing up to 100 million credit and debit card accounts to potential theft or misuse.
The company is quick to point out that the hackers, while able to make charges on a number of cards, did not steal PIN numbers or other personal information. It's not clear when the breach occurred, but Robert Daldwin, the company's president, said it apparently happened at some point last year.
"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," Baldwin said. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."
After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, Heartland said it enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland's network.
The company said it immediately took a number of steps to further secure its systems. In addition, Heartland said it will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.
So far, the company has no idea how extensive the breach is, but concedes that it could be huge, considering the number of accounts managed by its networks. It says cardholders whose accounts have been compromised will be notified once investigators sort things out.
