Don’t bother going to the web site created by Heartland Payment Systems, a company you’ve probably never heard of before now, for information about the security breach that occurred there several weeks ago (or longer). There isn’t really any more information there than is contained in this news release:
NEW YORK, Jan 20 (Reuters) – Credit-card processor Heartland Payment Systems (HPY.N: Quote, Profile, Research) said on Tuesday cyber thieves breached its system in 2008 and stole credit card information.
The company said cardholders would not be held responsible for unauthorized, fraudulent charges made by third parties.
Heartland said it was alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions and started an investigation, which uncovered software that compromised data that crossed Heartland’s network.
When you use your credit card the information goes from the merchant to a processing company and from the processing company to the credit card companies (or their agents) and to banks. Heartland is a processing company.
Here’s apparently what happened:
- Some time ago there was a security breach at Heartland.
- They don’t know who was responsible.
- Heartland didn’t uncover the breach until they were notified by Visa and Mastercard of fraudulent charges coming through.
- Heartland believes they’ve now closed the security breach. We’ll find out.
- No Social Security numbers, addresses, phone numbers, or unencrypted PIN’s were involved in the breach. Consequently, there should be no risk of identity theft. Again, we’ll find out.
- If your card information was compromised, you’re not liable for fraudulent charges that have been made using that information.
I think we’re going to see a lot more of this sort of activity. Its cost and risks are relatively low and the rewards potentially extremely high. Even though the risks to consumers have been reduced, millions or even billions of dollars in direct and indirect costs will be incurred by consumers.
Just as you know that you’ve got a powerful enough lightbulb in your lamp when you can read by its light, you know you have been sufficient security measures in place when you don’t have security breaches. Obviously, Heartland’s security was inadequate.
IMO credit card companies and processing companies don’t have high enough incentives to provide security. They need to be held responsible automatically not just for the charges but for the direct and indirect costs incurred by credit card customers and merchants not to mention the aggravation. Under the circumstances, watch for the class action lawsuits. Keep track of your costs.
Update
See also Bruce Schneier on security breach notification.
Update 2
There’s a significantly longer article on the security breach at the Washington Post which says it “may make the Heartland incident one of the largest data breaches ever reported”. There’s one snippet of additional information in the article beyond what I’ve repeated already:
A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.
Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised.
As I noted above the incentives for this kind of criminal activity are potentially quite high while the incentives for preventing it are, apparently, not high enough.
See http://www.schneier.com/blog/archives/2009/01/state_data_brea.html for related information on this subject.
Thanks, Dale. It’s tangentially related and I’ll update the post accordingly.