Heartland Payment Systems, a payment transaction processor for more than 250,000 U.S. businesses, announced what may be the largest data security breach to date. Criminals reportedly installed sniffer software on the computer network and gained access to customer records associated with the 100 million card transactions that the company handles each month. The malicious software captured the credit card data at the point that it was unencrypted to enable Heartland to seek authorization from the major payment companies and banks. The compromised data includes credit card magnetic strip data, which can be used to duplicate (clone) credit cards.
Personal data of up to 600 million cardholders were potentially exposed, but Heartland, which is working with the secret service, cannot yet say how many records were accessed. Credit card companies contacted Heartland about a pattern of fraudulent transactions on accounts the processor handled sometime last fall, but an initial internal investigation and audit failed to detect a security breach. A forensic investigator discovered the breach last week.
According to Forrester Research, data breaches of this type can cost $300 to $600 per account in fraudulent purchases, fees, and legal costs.
See, "Card Data Breached, Firm Says," Wall St. Journal, January 20, 2009, at http://online.wsj.com/article/SB123249174099899837.html?mod=testMod; "Credit Card Processor Says Some Data Was Stolen," New York Times, January 20, 2009, at http://www.nytimes.com/2009/01/21/technology/21breach.html?_r=1.