Heartland Payment Systems Breach


EDIT: See my on personal thoughts here.

EDIT: check the comments from Joshua Nieuwsma at the bottom of this Wired Blog Post - Appears to be a Heartland Employee defending and providing some commentary on this situation.

EDIT: more detail at Security Fix : Payment Processor Breach May Be Largest Ever

A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have led to the theft of more than 100 million credit and debit card accounts, the company said today.


… it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.


I saw this “Heartland uncovers malicious software” Press Release: Some relevant paragraphs snagged:

“We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands,” said Robert H.B. Baldwin, Jr., Heartland’s president and chief financial officer. “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.”

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland’s check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.


Heartland has created a website - www.2008breach.com - to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.

I met the CSO (Chief Security Officer) of Heartland Payment Systems at a Society of Payment Security Professionals - CPISM/A Training Boot Camp in late 2008. I have to say that I was pretty impressed with his knowledge of the Payment Industry, and his more related to this security posture and knowledge of PCI.

What does this mean to you ? If you are a cardholder that shopped at a merchant that HPS was the processor for(you wont know this, unless the merchant contacts you) you need to monitor your statements for fraudulent unauthorized activity. If you are merchant then you need to contract HPS if they haven’t contacted your already. The good news is that HPS was PCI Compliant - let this serve as an example that PCI Compliance does not prevent breaches, and that Compliance is a snapshot in time, Compliance != Security, and Security is a process.

But although this statement:

“After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.”

Suggests that account numbers were compromised and used to be alerted by Visa and MC.

However, I applaud HPS for alerting the public via a Press Release as well as to create a website for more information. However, I do like others, question the timing the the release.

Also: In case you are wondering if Heartland was PCI Compliant: Listed by Visa as PCI compliant April 30/2008 by QSA Trustwave :

1-20-2009 2-01-18 PM


Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now