MasterCard, Visa warn security breach may compromise data

By
Byron Acohido, USA TODAY
January 21, 2009, 11:09 PM ET
3 min read

— -- Visa and MasterCard have begun notifying member banks around the nation to contact patrons whose card accounts may have been compromised in the Heartland Payment Systems data breach.

Robert Baldwin, Heartland's President and CFO, said in a USA TODAY interview that Visa and MasterCard are "instructing many card issuers" to offer fraud-monitoring protection, replace cards, or do a combination of both for customers whose card purchases were processed by Heartland. "We're heartsick over this," Baldwin said.

Visa v and MasterCard ma declined to elaborate, citing an ongoing FBI criminal investigation.

Heartland disclosed Tuesday that intruders cracked the system it uses to process 100 million card transactions per month from 175,000 merchants. Heartland began investigating late last fall, tipped by Visa and MasterCard; but its tech staff was stumped. "We brought in a forensic auditor and worked for over a month, and only last week we found proof that our system had been breached," Baldwin said. "Up to that point we had no internal data suggesting any breach."

The case could turn out to be the largest data breach yet reported. Anyone who used a payment card at one of the restaurants or retailers that rely on Heartland to process card transactions could be at risk. These merchants include "independent business people in towns and cities across America," including some franchise chains, "but not any corporate names anybody would recognize," Baldwin said. Heartland has been unable to ascertain "a specific start and end date" for the intrusion, and has not been able to determine how many transaction records were stolen, he said.

Security and privacy experts say Heartland should assume all accounts that made transactions when the intruders were on the system are compromised. "Are we talking two weeks or two months?" says Roel Schouwenberg, senior antivirus researcher at Kaspersky Lab. "With proper forensics they should be able to conclude the maximum number of possible victims."

Whatever the number, it will be costly. Retail giant TJX set aside $197 million in reserves to deal with the 2007 theft of 94 million records. "This is TJX on steroids," says Paul Davie, COO of database management company Secerno.

Heartland should feel urgency to notify everyone who could be a victim, says Todd Davis, CEO of LifeLock, a fraud-monitoring service. "Victims are sitting naked, not knowing whether to take extra steps to protect themselves," he says. "The default should be toward notifying all possible victims."