Blog: Data Breach

ICBA and Visa are providing a free Data Breach Toolkit available to all ICBA member banks.  The toolkit was developed due to the recent data breach at Heartland Systems, and is designed to help community banks answer customers' questions following a breach of credit and debit card account information.  The toolkit provides member banks with customizable materials, including cardholder letters, statement inserts, FAQs and media statements.  You can login to receive your toolkit at


Yesterday, Heartland Payment Systems, Inc. disclosed a data breach that could be bigger than the TJX Companies, Inc.'s January 2007 breach.  Heartland, one of the largest payment processors in the country, said  they discovered the intrusion last week after being alerted by Visa and MasterCard of suspicious activity.  The company says they believe intruders planted malicious software designed to steal card data on the company's network sometime last year; however, the company has not yet released when the card companies informed them of the breach, when the breach took place in 2008, how long the intruders remained undetected, or how many cards might have been compromised.  Heartland claims no merchant data, cardholders' Social Security numbers, or unencrypted personal identification numbers (PIN), addresses or telephone numbers were compromised.

When a card is stolen, crooks typically "validate" the card with certain types of small transactions.  It has been noted that these types of transactions have increased nearly 20% over the past few months; however, it is not clear yet if this is related to the Heartland breach.  Currently, Heartland processes more than 100 million card transactions per month.

This is the second known compromise involving a large payment processor over the past few week.  On December 23rd, RBS WorldPay announced its systems had been breached by unknown intruders resulting in the compromise of personal information belonging to about 1.5 million card holders.  Payment processors are a prime target for cybercriminals due to the volume of transactions and information.