Heartland Payment Systems Says it Suffered Grievous Security Breach, Revelation Made on Inauguration Day to Fly Under Radar

Credit card processor Heartland Payment Systems announced Tuesday that it suffered a grievous security breach sometime in 2008, allowing hackers the opportunity to steal credit card information on what is possibly more than 100 million accounts. Funny how this revelation was timed to be disclosed with President Obama's inauguration. You know, to fly under the radar, if you will. Heartland is the sixth largest payment processor in the country, and specialized in transaction processing for small-to-medium-sized restaurants and retailers. According to Wired’s Thread Level, it processes more than 100 million transactions a month.

According to media reports, federal investigators determined the source of the breach only last week. Spyware installed somewhere on the company's internal network that sniffed unencrypted credit card transactions as they passed through Heartland’s systems. Actual damage assessments are still in progress, but one could rightly ask just how much data the malware was able to capture.

Heartland CFO and president Robert Baldwin, in an interview with BankInfoSecurity.com, said his company was confident that the only data picked up was cardholders’ names and credit card numbers. Isn't that serious? Maybe it's just me, but I smell a humongous rat. Of course, Baldwin would not speculate on the actual number of credit card accounts exposed. The company’s press release, however, could confirm that the breach had no effect on the company’s other services, which include payroll and check processing, micropayment solutions, and its recent acquisition, Network Services and Chockstone processing platforms. Similarly, cardholder’s addresses, PIN numbers, and other personal data were also unaffected.

The unknown hackers’ sniffers were able to pick up credit card numbers because the data is sent unencrypted over Heartland’s internal network, a policy that Baldin justified as necessary “to get the authorization request out.” Well, let's just see how this will play out. There is more to this.