Brian Krebs of the Washington Post dropped me a line this morning on a new article he posted. Heartland Payment Systems, a credit card processor, announced today, January 20th, that up to 100 Million credit cards may have been disclosed in what is likely the largest data breach in history. From Brian’s article:
Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country. He declined to name any well-known establishments or retail clients that may have been affected by the breach. Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.
…
“The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed.”
I want you to roll that number around on your tongue a little bit. 100 Million transactions per month. I suppose I’d try to hide behind one of the most historic events in the last 50 years if I were in their shoes.
“Due to legal reviews, discussions with some of the players involved, we couldn’t get it together and signed off on until today,” Baldwin said. “We considered holding back another day, but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility.”
In a short IM conversation Brian mentioned he called the Secret Service today for a comment, and was informed they were a little busy.
We’ll talk more once we know more details, but this is becoming a more common vector for attack, and by our estimates is the most common vector of massive breaches. TJX, Hannaford, and Cardsystems, three of the largest previous breaches, all involved installing malicious software on internal networks to sniff cardholder data and export it.
This was also another case that was discovered by initially detecting fraud in the system that was traced back to the origin, rather than through their own internal security controls.
Reader interactions
10 Replies to “Heartland Payment Systems Attempts To Hide Largest Data Breach In History Behind Inauguration”
In response to no name, 15 other processors were breached last year, but Heartland was the only one to come public with the world wide problem. Last year alone, there were 1500 breaches of varying severity.
Personally, most of you are a bunch of ignorant, pseudo-intellectuals, with no life other then to spread conjecture and lies.
Does your card have to used for them to get any info from it! or just to have an account! with any CC company???
I think you should have better information from within your company than to be asking outsiders on a blog what they think.
Until there is an announcement of someone getting busted and more details, who knows? I don’‘t expect them to say how someone did it (just opens the door for other attempts) but they should at some point be able to say ” We know who did it, how they did it, and we have protected our system to prevent this and other future threats.”
Just a few days after the Heartland data breach was announced someone swiped a counterfeit credit card with my account info at a car dealership in Illinois (I was in Europe at the time). Better watch your accounts folks!
Need payroll service call me at 866-341-3506.
Thank you, Erik Tonge
@ Rafal: You seem to be missing the fact that a compliant report is merely a snapshot in time … meaning it’s only relevant to the compliance of an environment at any given time.
Unless the QSA is checking daily (hourly?) there are no guarantees of continued compliance once the QSA has written the report.
[…] Largest CC breach Ever !! Yes, I am talking about Heartland. 100 million + credit cards and the accusation that they attempted to hide behind the inauguration […]
… but of course! I can’‘t imagine VISA would allow the PCI image to be tarnished, especially in a massive case like this! I wonder who’s telling the truth because according to an article I read earlier HPS claims it was PCI Compliant as of April 2008… someone’s lying here.
[…] 100 million transactions a month), and some are even suggesting that Heartland has tried to play down the breach, hoping that the presidential inauguration would keep it off the front pages. This could turn out […]
According to Visa, Heartland is under review, not PCI compliant:
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
Note the “*” in the Heartland entry.