Yesterday, Heartland Payment Systems, Inc. disclosed a data breach that could be bigger than the TJX Companies, Inc.'s January 2007 breach. Heartland, one of the largest payment processors in the country, said they discovered the intrusion last week after being alerted by Visa and MasterCard of suspicious activity. The company says they believe intruders planted malicious software designed to steal card data on the company's network sometime last year; however, the company has not yet released when the card companies informed them of the breach, when the breach took place in 2008, how long the intruders remained undetected, or how many cards might have been compromised. Heartland claims no merchant data, cardholders' Social Security numbers, or unencrypted personal identification numbers (PIN), addresses or telephone numbers were compromised.
When a card is stolen, crooks typically "validate" the card with certain types of small transactions. It has been noted that these types of transactions have increased nearly 20% over the past few months; however, it is not clear yet if this is related to the Heartland breach. Currently, Heartland processes more than 100 million card transactions per month.
This is the second known compromise involving a large payment processor over the past few week. On December 23rd, RBS WorldPay announced its systems had been breached by unknown intruders resulting in the compromise of personal information belonging to about 1.5 million card holders. Payment processors are a prime target for cybercriminals due to the volume of transactions and information.