MasterCard, Visa warn security breach may compromise data

— -- Visa and MasterCard have begun notifying member banks around the nation to contact patrons whose card accounts may have been compromised in the Heartland Payment Systems data breach.

Robert Baldwin, Heartland's President and CFO, said in a USA TODAY interview that Visa and MasterCard are "instructing many card issuers" to offer fraud-monitoring protection, replace cards, or do a combination of both for customers whose card purchases were processed by Heartland. "We're heartsick over this," Baldwin said.

Heartland disclosed Tuesday that intruders cracked the system it uses to process 100 million card transactions per month from 175,000 merchants. Heartland began investigating late last fall, tipped by Visa and MasterCard; but its tech staff was stumped. "We brought in a forensic auditor and worked for over a month, and only last week we found proof that our system had been breached," Baldwin said. "Up to that point we had no internal data suggesting any breach."

The case could turn out to be the largest data breach yet reported. Anyone who used a payment card at one of the restaurants or retailers that rely on Heartland to process card transactions could be at risk. These merchants include "independent business people in towns and cities across America," including some franchise chains, "but not any corporate names anybody would recognize," Baldwin said. Heartland has been unable to ascertain "a specific start and end date" for the intrusion, and has not been able to determine how many transaction records were stolen, he said.

Security and privacy experts say Heartland should assume all accounts that made transactions when the intruders were on the system are compromised. "Are we talking two weeks or two months?" says Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab. "With proper forensics they should be able to conclude the maximum number of possible victims."