Credit card and debit card data breaches are nothing new, and major precautions have been put in place in an attempt to stop them. Not only do they persist, but they continue to be more widespread than ever.
Yesterday, news broke of what may be the largest breach of credit and debit card information in history, according to the Washington Post’s Brian Krebs. Heartland Payment Systems, based in Princeton, N.J., is the payment processor involved. They serve more than 250,000 businesses, though they aren’t saying which were affected; the CFO, Robert Baldwin, says it wouldn’t be fair to mention any one client, according to the Post. What he is saying is that more than 100 million transactions go through Heartland’s platforms each month, and the number of accounts affected could be even higher than that (though they aren’t yet sure how many were affected).
Heartland has created a Web site, www.2008breach.com, to give further information about the incident. The site downplays the extent of the damage, saying “Heartland believes the intrusion is contained.”
The stolen information, including names, credit/debit card numbers and expiration dates, was obtained through malicious software installed in Heartland’s networks. The payment processor says it does not know how the software got there, how long it was in place or how many accounts it compromised.
The fraudulent activity was noticed late last year and an investigation was launched, but the source of the breach wasn’t discovered until last week. It was announced on Tuesday; Baldwin said the company wanted to announce it earlier, but couldn’t pull it off until Tuesday due to legal reviews. But it was inauguration day, when most consumers were distracted with the historical events. Coincidence? No, says Avivah Litan, a Gartner Inc. fraud analyst quoted in the Post. “This looks like the biggest breach ever disclosed, and they’re doing it on inauguration day? I can’t believe they waited until today to disclose,” Litan says. “That seems very deceptive.”
Heartland is not offering anything to victims, such as free credit monitoring or identity theft protection, which is traditionally handed out after a data breach. Information that would likely result in identity theft, such as addresses, telephone numbers, PIN numbers and Social Security numbers, were not stolen, so the company doesn’t think it warrants any compensation. Baldwin says while it’s not impossible, it is less likely that thieves would use the stolen credit card numbers to make online purchases since they only have partial information.
“Heartland apologizes for any inconvenience this situation has caused,” the company says on its breach Web site. “Heartland advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.”
How do you know if you were a victim? You were probably issued a new credit or debit card without an explanation from your issuer. You may not have received any information at all. It’s advisable for all credit card and debt card users to frequently check their statements in addition to their credit reports in order to ensure everything looks right.