A US-based payment processor has suffered an information breach that could have compromised millions of credit-card details.
Heartland Payment Systems, one of the largest US payment processors, announced on Tuesday that it had discovered "malicious software that compromised data" across the company's network in 2008. The company processes credit-card and debit-card information from 250,000 retailers with net sales of $1.3bn (£940m) annually.
"We found evidence of an intrusion last week and immediately notified federal law-enforcement officials as well as the card brands," said Robert Baldwin, Heartland's president and chief financial officer, in a statement.
The company suspects the malware to have been planted as part of a "global cyber-fraud operation", and is co-operating with the US Secret Service and the Department of Justice in an investigation.
The compromise came to light after Visa and MasterCard approached Heartland citing "suspicious activity around processed card transactions", said the statement. Following a forensic investigation, Heartland found the malware.
The company said that while its payment-processing systems had been compromised, no retailer information or cardholder Social Security numbers had been exposed. No unencrypted PINs (personal identification numbers), addresses or telephone numbers were involved in the breach, the company added.
The company said it believed the malware had been "contained", and added that it will implement an intrusion-detection system to "flag network anomalies in real-time".
Heartland had not responded to a request for comment at the time of writing.
Talkback
I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a breach.