Card breach biggest ever; Credit union in Gardner hit.
In what is being described as the largest credit card breach in history, thieves using "malicious software" have stolen credit card information from a New Jersey-based card processing company. In reaction, at least one local credit union has issued new credit cards to thousands of its members.
Heartland Payment Systems Inc. of Princeton, N.J., reported yesterday that cyber thieves stole card numbers, expiration dates and internal bank codes from the company, which could all be used to make duplicate debit and credit cards. Heartland Payment Systems processes credit cards for more than 250,000 restaurants and small businesses nationwide.
In a statement, the company said that perhaps 40 percent of its data was compromised. The company processes 100 million transactions each month, meaning the number of cards compromised could be in the tens of millions.
GFU Federal Credit Union in Gardner received notice of the theft of credit card information from MasterCard and Visa on Jan. 9, and decided to issue new cards to thousands of its customers,
"We didn't have any losses to members," said Kelli Mason, GFU's vice president of sales and service. "We wanted to be as proactive as possible."
GFU placed daily limits on the accounts of customers whose accounts were compromised, in an attempt to limit possible losses. Customers began receiving new cards on Tuesday, she said. Limits would be lifted on the new cards.
Ms. Mason said the credit union's customer information was never compromised, but that the cards themselves were compromised, leaving them open to being copied and used illegally.
"There was some inconvenience to our customers, but we tried to limit it as best we could," she said.
Heartland says it has closed the security hole that allowed criminals to infiltrate their systems, but the matter is far from settled. The company will likely have to pay big penalties to banks to reimburse the cost of issuing new cards, and analysts say the intrusion could even threaten the company's survival if the big card brands decide to cut off Heartland from connecting to their networks.
One big payment processor, CardSystems Solutions, went under after a 2005 data breach in which 40 million credit card accounts were compromised and the big card brands stopped doing business with CardSystems. Representatives for Visa Inc. and MasterCard Inc. declined to comment.
Heartland says it doesn't know yet how much data was stolen, since the malicious program was capturing data as it flowed across the network, and in that type of intrusion it's hard to figure out how much data was snatched in transit by the interlopers.
Heartland said that while no merchant data, cardholder Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers were stolen, it is too early to quantify how many cards are compromised.
"We understand that this incident may be the result of a widespread global cyber-fraud operation, and we are cooperating closely with the United States Secret Service and the Department of Justice," Heartland president and CEO Robert Baldwin said in a prepared statement.
In reaction to the news, banks and credit unions in Massachusetts are determining a course of action, said Peter T. Blanchard, executive director of the Massachusetts Bankers Association.
"We have to wait and see what comes out of it," Mr. Blanchard said. Some banks are monitoring their customer accounts for suspicious charges, others are asking customers if they would like to be issued new debit or credit cards, and others are simply reissuing cards to all customers who are affected.
"The whole purpose of any action is to protect the customer," he said.
The company says the average merchant in its network does about $350,000 a year in Visa and MasterCard transactions.
Security experts say it's fair to assume the worst until Heartland gets its arms around the size of the problem.
``Data breaches are like pregnancy - you can't be partly pregnant, and once your data has been compromised, you have to assume all your data's been compromised, unless you can prove otherwise," said Michael Argast, security analyst with the Sophos security software firm.
Unlike a breach involving a single merchant, where the retailer risks losing its customers' confidence, a payment processor that's breached risks losing the confidence of its merchants, which Argast said was much more significant. Consumers typically don't have to pay for fraudulent charges on their accounts, whereas merchants can be saddled with big costs when their businesses are the victims of fraud.
The industry's security requirements call for payment processors to have separate networks - one for the financial transactions, and another for their general corporate tasks. Heartland won't say how the malware got into the network that processes financial transactions or when it was planted there.
"If you're actually able to compromise that protected network, you're in, man - you have the keys to the kingdom," said Mike Rothman, senior vice president of strategy for security software vendor eIQnetworks Inc. "I presume they were able to sniff a large part of the payment traffic at the time the network was compromised."
``Unfortunately the bad guys are very, very good," Baldwin said. ``The malware we encountered did not, and does not, get very well captured by antivirus software, so it's a challenge we're going to have to keep working as an industry to combat."
The breach might top the 45 million credit and debit card numbers exposed in 2007 by a theft at TJX Companies Inc. in Framingham, the parent of retailers Marshalls and TJ Maxx.
Heartland also has established a Web site, www.2008breach.com, to provide information about the incident. Material from The Associated Press was used in this report
The quote: `We understand that this incident may be the result of a widespread global cyber-fraud operation.' - Robert Baldwin, Heartland CEO
|Printer friendly Cite/link Email Feedback|
|Publication:||Telegram & Gazette (Worcester, MA)|
|Date:||Jan 22, 2009|
|Previous Article:||The Lincoln who created Worcester's magnificent parks.|
|Next Article:||Nature trashes camp; Ice storm leaves Scouts seeking $150,000 to clean and repair.|