Payment processor's security breach may affect up to 100 million transactions

OUT-LAW News, 21/01/2009

A US payment processing company has said that it could be the victim of the biggest-ever data security breach. Information on the people behind up to 100 million transactions could have been accessed by data thieves, Heartland Payment Systems said.

The company is working with the US Secret Service over the breach, which was uncovered last week, the company said.

Visa and MasterCard alerted the company to fraudulent transactions on cards which had been processed by Heartland last autumn. An investigation last week uncovered a compromise of its systems which allowed customer information to be collected.

"Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals," it said.

"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Heartland president Robert Baldwin. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."

Heartland processes transactions for more than a quarter of a million businesses in the US, it said.

Baldwin told the Wall Street Journal that the software which had made its way into the company's systems was "light-years more sophisticated" than common programs available from the internet.

Two years ago the company behind retailer TK Maxx suffered a credit card data breach when 45 million records were compromised.

US non-profit ID theft victim support organisation The Identity Theft Resource Center said that in 2008 the number of breaches of personal information had risen by 47% in a year, to 656 breaches.

Most US states have laws which force companies to disclose when data breaches occur. European Union authorities are debating the creation of a similar law, though the current draft would apply only to telecoms companies. The EU Data Protection Supervisor has called for it to be extended to banks and other online data handlers.

The UK Government said last year that it did not back the creation of a data breach law in the UK and the Information Commissioner's Office (ICO) agreed.

Pinsent Masons and Amberhawk Training are holding an Update session on 26th January in London where up to date data protection topics are the agenda. If you are interested in this event, please email chris.pounder@amberhawk.com for a brochure.

See also:

• EU privacy watchdog laments weakened privacy proposals, OUT-LAW News, 13/01/2009
• The UK does not need a data breach notification law, says Government, OUT-LAW News, 25/11/2008 
• TK Maxx owner offers $41 million for record-breaking data breach, OUT-LAW News, 05/12/2007
• European Commission calls for data breach notification law, OUT-LAW News, 05/12/2007
• Record-breaking data leak down to poor policies, says Canadian watchdog, OUT-LAW News, 26/09/2007
• British shoppers hit by TK Maxx theft, OUT-LAW News, 30/03/2007 

Feedback | Printer-friendly page | Latest news | | All news feeds | Ask a lawyer