Credit Card Data Breach at Heartland Payment Systems

Posted on January 20, 2009 by Tom Mahoney

InternetWarning.jpgSPACER.gifHeartland Payment Systems issued a press release at 9:00 AM today, announcing (sort of) that they had been a victim of a data breach. They didn’t announce the number of possible compromised records- or much of anything else either, but they did say that they found malware in their system.

I’d heard some rumors over the past weekend. In fact, they were more than rumors. I had information from a very reliable source that the breach had the potential of being bigger than the TJX breach of around 90 million credit card records. The breach had been ongoing from May until November.

While reading the initial press release. I was struck with the fact that they made a point of saying what was not compromised but said nothing about what was. Phrases like “No merchant information or cardholder Social Security numbers compromised” don’t instill a lot of confidence in e-Commerce merchants. Neither of those are credit card numbers.

Given the lack of detail in the press release and the information that I had, I sent an email to the address on the initial press release. The gist of the email was:

Would I be correct in assuming that “merchant data” does not include credit card information and that a huge number of credit card accounts were compromised? Word in the rumor mill since last week is that this one could be bigger than TJX. That would put it in the 100 million credit card neighborhood.

Care to comment?

Within minutes I got a response asking for my phone number. They wanted to talk to me. I responded with my cell phone number about 7 hours ago but haven’t heard from them. I guess they’re a bit busy right now!

There’s been some speculation in the blogosphere that HPS was pulling a sleazy thing releasing the information on Election Day hoping to slide in under the radar. I’m not sure.

Here’s my take on the release of information

I think HPS had no choice but to disclose today. They might have done it yesterday if it wasn’t a holiday. There was obviously a leak of information. I have more than I’m sure they’d like me to have and I had it over the weekend. If they knew there was a leak, they probably had to disclose with as little information as possible.

The final damages from this breach?

A lot depends on the level of security they had in place. If they were PCI compliant there will certainly be less repercussions than if they were full of holes. But in the end, I suspect the damage will be unmeasurable.

As for the number of credit card accounts that were compromised, I think it will exceed the 100 Million mark. Exceed it a lot! Here’s the thing…

Heartland Payment Systems claims that they do 100 Million transactions per month. My sources tell me the breech was on-going for 6 months. You do the math. Even if a huge number of their transactions are with cardholders using the same card number, that would put the number way over 100 million card records. Probably closer to 300 million.

And it’s all mag strip data!

Similar Posts:

About Tom Mahoney

Tom Mahoney is the Founder and Director of Merchant911, a site dedicated to helping e-commerce merchants.
This entry was posted in credit card fraud, Data Breach, fraud, fraud trends, Payment Processors and tagged , , , , . Bookmark the permalink.
Post comment as
twitter logo facebook logo
Sort: Newest | Oldest
Staci Cash

Hi there.

I am not sure why Heartland and/or Chase keep saying that Social Security numbers were not breached. I had my personal information stolen in this situation and the criminals have enough information on me to not only attempt to make transactions on my current accounts, but also they have opened new accounts since 1/24/2009. To me this means that they have my name, social security number, address, birthdate and whatever else they may need to open a new account. In addition, 2 of the cards that attempted and successful charges were made on have not been used for the past, at least, 2 years. So...obviously...these companies are hiding something more because if I know I haven't used 2 of my compromised credit cards in at least the past 2 years, how can the security breach with regards to transactions processed have happened within the past 6 months?

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
Tom Mahoney

Greg, you are correct. I've deleted the reference to the Post article but I do stand by my 300 Million number.

Thanks for catching the 999 million record typo!

share
  • spam
  • offensive
  • disagree
  • off topic
 Like
Greg Patrick

I do not know if you can edit your blog, but I think you may have said this incorrectly.

The Washington Post is now reporting that the breach involves 1000 million accounts.

I think you meant 100 million. The Washington post was referring to how many transactions it processes, not how many cards may have been breached. I do think they should list all the retailers that use Heartland. Consumers will not blame the merchants. I even read a comment on the consumerist website that said Heartland didn't even notify the merchant(s) of card breach.

share
  • spam
  • offensive
  • disagree
  • off topic
 Like