Wednesday, January 21, 2009

Payment Processor's System Breached

Heartland Payment Systems has disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants, reports USAToday

Robert Baldwin, Heartland's president and CFO, said in a USAToday interview that the intruders had access to Heartland's system for a month or more in late 2008. The number of victims is unknown. "We just don't have the information right now," Baldwin said.

Tech security experts said the breach could set a record. Retail giant TJX lost 94 million customer records to hackers in 2007. With more than 100 million transactions per month, they could discover that several months' worth of transactions were captured, says Michael Maloof, chief technology officer at TriGeo Network Security.

Heartland processes card payments for restaurants, retailers and other merchants. It discovered the hack last week after Visa and MasterCard notified it of suspicious transactions stemming from accounts linked to its systems. Investigators then found the data-stealing program planted by the thieves.

"Our discussions with the Secret Service and Department of Justice give us a pretty good indication that this is part of a group that appears to have done security breaches at other financial institutions," said Baldwin. "This is a very sophisticated attack." Once it sorts out the matter, Heartland plans to notify each victim whose data were stolen to comply with data-loss disclosure laws in more than 30 states, Baldwin said.

[In my discussions with vendors regarding PA-DSS regulations, which I will be covering at length here soon, there is a consensus that the payment processors and banks themselves are more at risk than the merchants are....]

No comments:

Web Analytics