A large credit card processing company was breached in an attack late last year that may have compromised more than 100 million accounts.

Heartland Payment Services, which processes debit and credit card transactions for 250,000 businesses, said it first learned around late October that it might have been hacked, but wasn't able to determine that its system had indeed been breached until last week. The company said it notified the public Tuesday as soon as it confirmed it was the victim of a "highly sophisticated" attack.

Law enforcement officials are investigating the breach as potentially part in a wider cyber fraud operation with multiple victims, according to Robert Baldwin, Heartland's president and chief financial officer.

"They are working on an active investigation on a gang [and] all the hallmarks are that this is associated with that," Baldwin said. "They have said that investigation is focused on a significant number of breaches of financial institutions."

Heartland discovered malware on its system that allowed thieves to sniff unencrypted card data as transactions were being authorized in Heartland's system. The thieves captured card account numbers and expiration dates and, in 20 percent of cases, the customer's name as well.

The company, which is based in New Jersey, did not know how long the sniffer was in its system or how many card accounts might have been compromised, although the company's web site indicates that it processes about 100 million transactions a month.

Heartland said the thieves did not obtain personal identification numbers (PINs) or customer address information – which limits the value of the card data to the thieves.

To use the card numbers online or over the phone, the thief would generally need the customer's billing address – or at least a ZIP code – and the three-or four-digit security code printed on the card, although there are some merchants who fail to ask for such information. The company says a thief could, however, clone stolen debit card data to a fake card and swipe the card as a credit card, though this puts the thief at risk of being caught on surveillance cameras.

Baldwin told Threat Level that Heartland first learned of a possible breach in late fall after Visa and MasterCard reported a pattern of suspicious transactions, but that the company initially received conflicting information that led it to believe the leak may have sprung outside of Heartland's systems.

"Some of the information they gave us threw us off the scent," Baldwin said. "There were transactions that hadn't crossed our platform."

The company eventually decided it needed to analyze its system anyway and called in outside forensic investigators in early December when internal auditors could find no problem. The outside investigators were unable to find the breach until last week when they discovered "some residual temp files" that led them to the malware.

Investigators still have not determined how the intruders infiltrated the system, but Baldwin said it was not a case of an employee opening an infected attachment.

"We employ a lot of anti-virus capabilities that this was able to get through," he said, adding that as far as Heartland knows the malware is of a previously undiscovered variety.

Baldwin said Heartland's announcement on Inauguration Day was not intended to bury the news. He said the company first found clues pointing to the malware last week and worked through the weekend to uncover it in the system. Employees then spent Monday, a holiday, coordinating with the Secret Service, the Department of Justice and the card issuers to get approval for a press release.

"Really, today was the first possible day that we could get this information out," Baldwin said. "Transparency is absolutely critical. It's a core value of this company.... We're not kidding ourselves that if it doesn't get reported today it's going to go away. To purposefully hold off the information [for another day] was just going to be wrong."

Heartland didn't want to delay the announcement to Wednesday for fear of a leak that could lead to insider trading on the public company's stock.

Regarding who might have been affected by the breach, Heartland has declined to identify the businesses that are its customers. But Baldwin told the Washington Post that 40 percent of the transactions the company processes come from small to mid-size restaurants.

Heartland is advising consumers to monitor their account statements and report suspicious activity to their card issuer. The company has also established a web site to address questions about the breach.

(Updated January 20, 2009 | 8:45:00 PM)

See Also: