Hackers breach Heartland Payment credit card system

Heartland Payment Systems (HPY) on Tuesday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants.
Robert Baldwin, Heartland’s president and CFO, said in a USA TODAY interview that the intruders had access to Heartland’s system for “longer than weeks” in late 2008. The number of victims is unknown. “We just don’t have the information right now,” Baldwin said.

Tech security experts said the breach could set a record. Retail giant TJX lost 94 million customer records to hackers in 2007. With more than 100 million transactions per month, they could discover that several months’ worth of transactions were captured, says Michael Maloof, chief technology officer at TriGeo Network Security.

Heartland processes card payments for restaurants, retailers and other merchants. It discovered the hack last week after Visa and MasterCard notified it of suspicious transactions stemming from accounts linked to its systems. Investigators then found the data-stealing program planted by the thieves.

“Our discussions with the Secret Service and Department of Justice give us a pretty good indication that this is part of a group that appears to have done security breaches at other financial institutions,” said Baldwin. “This is a very sophisticated attack.” Once it sorts out the matter, Heartland plans to notify each victim whose data were stolen to comply with data-loss disclosure laws in more than 30 states, Baldwin said.

“Cleaning up the mess could be potentially much more expensive than any fines or penalties,” says Michael Argast, senior analyst at security firm Sophos.

Heartland’s disclosure coincides with reports of heightened criminal activities involving stolen payment card numbers. Security firm CardCops has been tracking a 20% year-over-year increase in Internet chat room activity where hackers test batches of payment card numbers to make sure that they’re active. “The numbers could have come from a processor, like Heartland, or some other source that has access to a lot of customer data but is not a retailer,” says Dan Clements, CardCops president.

Also, Forcht Bank in Kentucky last week began issuing replacement debit cards to 8,500 patrons, due to reports of fraudulent card activity. “There are several other banks affected, and this is not isolated to Forcht Bank customers,” the bank said in a Jan. 12 statement to customers.

http://www.usatoday.com/money/perfi/credit/2009-01-20-heartland-credit-card-security-breach_N.htm

Heartland Payment Systems Uncovers Malicious Software In Its Processing System

Heartland Payment Systems Uncovers Malicious Software In Its Processing System

Company Release - 01/20/2009 09:00

No merchant information or cardholder Social Security numbers compromised.

PRINCETON, N.J., Jan. 20 /PRNewswire-FirstCall/ – Payments processor Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. Heartland believes the intrusion is contained.

“We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands,” said Robert H.B. Baldwin, Jr., Heartland’s president and chief financial officer. “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.”

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland’s check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

After being alerted by Visa(R) and MasterCard(R) of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.

Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.

Heartland has created a website - www.2008breach.com - to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.

“Heartland apologizes for any inconvenience this situation has caused,” continued Baldwin. “Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective.”

About Heartland Payment Systems

Heartland Payment Systems, Inc., a NYSE company trading under the symbol HPY, delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide.

Heartland is the founding supporter of The Merchant Bill of Rights, a public advocacy initiative that educates merchants about fair credit and debit card processing practices. For more information, please visit www.heartlandpaymentsystems.com and www.MerchantBillOfRights.com .

Forward Looking Statements

This press release may contain statements of a forward-looking nature which represent our management’s beliefs and assumptions concerning future events. Forward-looking statements involve risks, uncertainties and assumptions and are based on information currently available to us. Actual results may differ materially from those expressed in the forward-looking statements due to many factors. Information concerning these factors is contained in the Company’s Securities and Exchange Commission filings, including but not limited to, the Company’s annual report on Form 10- K, or Form 10-Q as applicable. We undertake no obligation to update any forward-looking statements to reflect events or circumstances that may arise after the date of this release.

For More Information:
Nancy Gross
Phone:  215.519.7367
Email:  [email][email protected][/email]

SOURCE Heartland Payment Systems, Inc.

Contact: Nancy Gross, +1-215-519-7367, [email protected]

Heartland chairman and CEO Bob Carr talks about breach duringquarterly earnings call

Heartland Payment Systems’ top executives on Tuesday shed more light on the firm’s massive data breach, and said that Heartland would fight ensuing lawsuits stemming from the incident.

In an earnings call, the transcript of which has been posted online as well as summarized in the firm’s fourth quarter 2008 financial report, Heartland chairman and CEO Bob Carr said the malware that infected the firm’s systems could read and collect unencrypted data in motion, and that the attackers may have been able to “trade” from its network some of the data that was accessed.

“Keep in mind that Heartland passed its PCI certification last April, and assessors are currently on-site for 2009 certification, which we are targeting to begin to complete by the end of April. In that regard, throughout the potential period of the breach, Heartland did have antivirus software installed on its payment processing network,” Carr said.

Heartland, which processes 100 million payment card transactions per month for 175,000 merchants, announced on Jan. 20 that it had discovered malware on its processing system. Security experts say this may be the largest ever data breach. A second, as-yet undisclosed payment processor has also suffered a big breach, according to several credit union organizations.

Carr said Heartland thinks the malware was not always active on its servers. “And [it] was probably not gathering information from 100 percent of transactions flowing through the system even when active or exporting all of the captured information to the criminals,” he said. “For this reason, it is simply not possible at this time to determine accurately the number of card accounts that had information placed at risk of compromise during the breach, or to what extent any such information placed at risk was, in fact, compromised.”

Carr noted that while PCI provides some security, data in motion also must be encrypted. The company previously had announced its plans to spearhead an end-to-end encryption effort in the payment industry. “To this end we have formed an internal department dedicated exclusively to the development of end-to-end encryption, designed to protect merchant and consumer data use and financial transactions,” Carr said.

Heartland considers end-to-end encryption to encompass “the point of card swipe or data entry by a hardware appliance with the encrypted data flowing through all the gateways and communication links to the front-end authorization in data capture switch,” he said. Data also must be encrypted between the front-end and back-end processing systems, in transit as well as at rest, he said.

Robert Baldwin, president and CFO of Heartland, also said that the company was “the subject to several governmental investigations and inquiry, including an informal inquiry by the SEC and a related investigation by the Department of Justice, an inquiry by the OCC [Office of the Comptroller of the Currency], and an inquiry by the FTC.”

http://www.darkreading.com/security/attacks/showArticle.jhtml?articleID=214600079

I agree with the all terms and inclusion given here in this post which deals with the Payment card processing system and need of data security standards.Heartland considers end-to-end encryption to encompass "the point of card swipe or data entry by a hardware appliance with the encrypted data flowing through all the gateways and communication links to the front-end authorization in data capture switch.