CreditCards.com

Protecting yourself

Payment processor involved in massive data breach offers few answers

Emily Crone

Credit card and debit card data breaches are nothing new, and major precautions have been put in place in an attempt to stop them. Not only do they persist, but they continue to be more widespread than ever.

Yesterday, news broke of what may be the largest breach of credit and debit card information in history, according to the Washington Post’s Brian Krebs. Heartland Payment Systems, based in Princeton, N.J., is the payment processor involved. They serve more than 250,000 businesses, though they aren’t saying which were affected; the CFO, Robert Baldwin, says it wouldn’t be fair to mention any one client, according to the Post. What he is saying is that more than 100 million transactions go through Heartland’s platforms each month, and the number of accounts affected could be even higher than that (though they aren’t yet sure how many were affected).

Heartland has created a Web site, www.2008breach.com, to give further information about the incident. The site downplays the extent of the damage, saying “Heartland believes the intrusion is contained.”

The stolen information, including names, credit/debit card numbers and expiration dates, was obtained through malicious software installed in Heartland’s networks. The payment processor says it does not know how the software got there, how long it was in place or how many accounts it compromised.

The fraudulent activity was noticed late last year and an investigation was launched, but the source of the breach wasn’t discovered until last week. It was announced on Tuesday; Baldwin said the company wanted to announce it earlier, but couldn’t pull it off until Tuesday due to legal reviews. But it was inauguration day, when most consumers were distracted with the historical events. Coincidence? No, says Avivah Litan, a Gartner Inc. fraud analyst quoted in the Post. “This looks like the biggest breach ever disclosed, and they’re doing it on inauguration day? I can’t believe they waited until today to disclose,” Litan says. “That seems very deceptive.”

Heartland is not offering anything to victims, such as free credit monitoring or identity theft protection, which is traditionally handed out after a data breach. Information that would likely result in identity theft, such as addresses, telephone numbers, PIN numbers and Social Security numbers, were not stolen, so the company doesn’t think it warrants any compensation. Baldwin says while it’s not impossible, it is less likely that thieves would use the stolen credit card numbers to make online purchases since they only have partial information.

“Heartland apologizes for any inconvenience this situation has caused,” the company says on its breach Web site. “Heartland advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.”

How do you know if you were a victim? You were probably issued a new credit or debit card without an explanation from your issuer. You may not have received any information at all. It’s advisable for all credit card and debt card users to frequently check their statements in addition to their credit reports in order to ensure everything looks right.

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

  • Phil Davis

    What a crock. They lose my credit card information because they aren’t smart enough or diligent enough to figure out that one or more of their (supposedly secure) systems is sending our data to the hackers for months and months. Secure systems indeed. I’ll bet their management got full disclosure of the merchants involved so they could take appropriate action but we poor card holders get to hold the bag and pay the for the pleasure. Another sad commentary on corporate greed and lack of care for their customers.