Aargh!: Heartland Payment Processing (credit/debit card) breach

My card was declined despite having considerable balance in my checking, today at the grocery store. Beyond the embarrassment, all Visa could tell me is that they saw no problems nor alerts on my card and I'd have to call my bank on Monday. FInally, some 7 hours later, I see they have finally posted something on their online banking website:

DEBIT CARD ISSUES
"We have become aware of a minor problem affecting a small number of our members debit cards. In an attempt to replace debit cards that were compromised in the nation-wide Heartland Payment Processing breach, we may have deactivated some cards before the replacements were issued. If your debit card was declined today, please accept our apologies. We should have the issue corrected mid-day Monday."

:wtf: I had no notice that my card was among those breached nor that my banking institution was one affected~!

Has anyone else dealt with this? I know it was in the news last week, but all press I saw was very generic and downplayed the whole deal..

My credit union was switching over to some other processing doohickey or something.

It would only happen at certain merchants though.

VERY frustrating!

I did notice that often the transaction would go through if the merchant entered the info manually rather than swiping the card. Unfortunately most places won't do that.

That's what my debit transactions are labeled.

Here's a link and summary of one of the news stories from last week..
http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=212901505

The systems penetrated by a malicious keylogger could result in a data breach that rivals the parent company of TJ Maxx in 2007.

By Thomas Claburn
InformationWeek
January 20, 2009 05:30 PM

Heartland Payment Systems, a leading payment processing company, reported on Tuesday that its systems had been compromised by malware in 2008.

The data breach could turn out to rival the massive breach reported by TJX in 2007, which affected as many as 94 million credit card accounts. Heartland handles 100 million transactions per month for more than 250,000 businesses. But the company isn't yet ready to disclose the number of credit card accounts affected.

Decrying the practice of paying bug bounties Jeff Prince, CTO of ConSentry sees NAS as evolving technology that won't just be about initial host assessment. Nathan Shuchami, CEO of Sentrigo, discusses the company's database security product. Sentrigo offers one tier of products for small/midsized companies and another for enterprises- who are all tightening security due to heightened criminal activity.
Jeff Prince, CTO of ConSentry sees NAS as evolving technology that won't just be about initial host assessment.
"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert H.B. Baldwin Jr., Heartland's president and CFO, in a statement. "We understand that this incident may be the result of a widespread global cyberfraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."

Heartland was alerted to the breach by reports of suspicious transactions from Visa and MasterCard.

In a phone interview, Baldwin said that the bulk of the exposed data consisted of credit card numbers and expiration dates, and that a subset of the exposed data also included credit card names.

Baldwin said his company couldn't yet reveal an accurate number of exposed accounts. "There are some numbers flying around now that aren't based on any discussion that Heartland has had with anyone," he said. "They are speculation. ...We just discovered this last week. We have been working around the clock to get data out to the public because it's consequential and we think it's important to be transparent on this."

In its statement about the breach, Heartland said that no merchant data, cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses, or telephone numbers were exposed.

Baldwin said his company wasn't yet ready to disclose the dates when its network was exposed. "We can say, however, that this is fully contained," he said. "That is both our view and the view of the forensic auditors we brought in to work on this issue."

Baldwin said that the breach was the result of keylogging malware, which covertly captures anything typed on an infected computer, such as user names and passwords.

"There were two elements to it, one of which was a keylogger that got through our firewall," he said. "Then subsequently it was able to propagate a sniffer onto some of the machines in our network. And those are what was actually grabbing the transactions as they floated over our network."

A sniffer is similar in concept to a keylogger, but rather than merely capturing keystrokes, a sniffer captures entire data packets on a network.

Asked whether the data was read remotely from a locally stored file or transmitted to an external site, Baldwin said, "We don't know in what way there was egress or to what extent," he said. "And that's one of the frustrating things about this. We know that a lot of transactions go across our network; we don't know the percentage of transactions that the sniffer was able to grab. And we don't know the percentage of those that the bad guys were able to access."

He added that while investigators considered the possibility that an insider might have been involved, there was no information that suggested any insider involvement.


more at the link...

since I could not do electronic payments this evening and I have bills due today and Monday.... Each time I tried, the error message said my card number did not exist...:mad:

"Minor problem, my ass....!"

Most of my banking is through credit unions, for obvious reasons... but I hear they may have been previously affected by this kind of incident as well. :shrug:

I was freaking because the message said "declined," so I was afraid my account WAS breached, when in reality, they had frozen my account on the premise that I tried to make a transaction through an affected merchant and the chance that it *might* have been a fraudulent charge.

Coincidentally, my small local bank had phone lines down for 36 hours, so I couldn't even talk to anyone during that time. It was VERY frustrating!

those 'sniffed' - right around Thanksgiving. I bought my son a jacket at Burlington Coat Factory on the 28th of November and swiped my card as a debit (yes, yes, stupid - but the line was long and the clerk not terribly bright . . . it seemed rational at the time).

On December 4th someone accessed my checking account via an ATM, using my pin - they tried three times (the first time they got the money; the next two times, at different ATMs, they were declined). The bank called the next day, reporting suspicious transactions and asking me to verify.

Got the problem straightened out and they replaced the money that was taken, but I can't think of ANY other way the thieves could have gotten my pin number.

I still don't have a card, though, since the company that makes and ships the cards for Wells Fargo has apparently shifted into an alternate dimension and is sending the cards to my alternate self - not me. I'm on my THIRD try, this time having the card sent to my local bank branch. Presumably it was shipped out on the 17th, but nothing so far. I have a sneaking suspicion that it's gone awry, as well.

Frustrating, but the delay is helping me break the debit card habit, which is probably a good thing . . .

Well . . . Whole Foods in Central NJ informed us today that they're not longer accepting

checks, at all!!! ???

They've probably decided the cost of processing them is too high.

sigh.

but, I've been trying to use the cash card less for many reasons, but mainly the added

costs to small businesses. But, I was really surprised at Whole Foods!

Bank of America did that to my husband's debit card. He tried to make some purchases and his card was declined. We went to a branch to investigate and they didn't have any answers. Said one of us must have cancelled the card. Received a new card several days later with and explanation that security had been breached for a small number of cards and they cancelled and replaced it.

I guess it prevents people from getting your information, but if we had been out of town or something, with only that card - we would have been up a creek.

they are being quite coy, it seems in specifying exactly how many and the impact, but this article gives an objective (if frightening) analysis:

http://seekingalpha.com/article/116415-heartland-payment-systems-breach-bad-as-tylenol-poisonings


Heartland Payment Systems' stock (HPY) was hit hard in the wake of what is being described as the biggest single breach of consumer and financial data security ever. The company issued statements Friday (1/23) in an effort at damage control in which the CEO compares the potential industry-wide impact of the breach to none other than that of the Tylenol poisonings of some twenty-five years ago that nearly brought down the drug maker.

Not the kind of association I would want to make for my company, but then it's not my company.

Worse yet, Heartland's press release was crafted with the kind of classic crisis-response-mode denials, deflections, and spin that we have all become so accustomed to in other sectors of the financial industry.

The data loss debacle at Heartland highlights the fact that information security will be the next major shareholder derivative and D&O liability issue, regulatory, consumer, and national security threat, and class-action litigation subject to impact our ailing economy.

Heartland CEO Robert O. Carr's statements do not contain any details of the breach or anything resembling an apology to consumers and shareholders. Instead, Carr gave himself a pat on the back for expanding Heartland's client base in spite of exposing millions of people and hundreds of banks to fraud and losses.

"Despite the headwinds of the economy and attacks by some of our competitors, we have installed new merchants, new payroll clients and new check management clients since our disclosure of the breach on Tuesday morning," Carr stated.

The press release further states "Heartland Payment Systems added more than 400 merchants to its client base in the past few days - exceeding results for the same period from last year."

When Carr does finally address the breach, he seems to imply that the lapse in data security is some kind of validation of Heartland's capacity to respond to threats to its customer base and stakeholders, but only after a breach is uncovered. Carr even managed to sound almost self-congratulatory in the process:

"Our energized organization called on the owners of more than 150,000 business locations these past three days to help them understand the breach and what it means to them. I couldn't be prouder of our entire organization for the way everyone has pulled together to help."

Kudos Heartland? No. The congratulations should instead go to the kind of executives who are proactive enough to make sure that the measures are in place from day one of contract negotiations with the systems and security providers to ensure these kinds of problems never materialize.

As soon as Heartland's stock began to tank in earnest late last week, leadership chose to respond to this breathtaking lapse in security and due diligence by acting first to reassure their clients and shareholders that all was well at the company, even a bit exciting lately - what with the opportunities the new security vulnerability will give those in the payment industry to share ideas with one another.

Now what about that data breach? You know, the whole reason for the press release in the first place? Little was offered in the press release:

"No confidential merchant data, Social Security numbers, unencrypted personal identification numbers , addresses or telephone numbers were retrieved in what is believed to be a global cyber-fraud operation."

If no critical data was exposed, what's the real problem then? Well, there are many.

First and most obviously is that for an unknown period of time some consumer and merchant data worthy of encryption were exposed to hackers and thieves when the data were briefly unencrypted and encrypted again during processing, according to bankinfosecurity.com.

Card reissue would solve that problem, albeit at some expense to the companies. I say companies (plural) because if Heartland's system was exposed then it can be expected that the same vulnerabilities have been exploited in systems at other companies, perhaps even in other industries with similar data security software and systems.

Hence the scramble by law enforcement and the entire financial industry to figure out what happened.

Also of note is a problem that has been at the forefront of information security from the beginning: The bad guys tend to know more than we do about the vulnerabilities in our data systems because it is worth a lot of money to them.

Aside from network audits and professionals who hunt for holes in security systems for a living (some of whom were at one time themselves hackers), most companies find out about information security issues after their networks are breached.

Even though industry leaders can show that they spend hundreds of millions of dollars on cyber-security, more and more resources - time, talent, money, reputation - are all being lost by reacting to threats after the fact.

There has been a marked increase in attempted and successful attacks on corporate, government, and military systems, yet the looming economic realities today are forcing information security executives and IT departments to try to do more protecting at less cost.

This situation poses a threat to the security of what I call our financial identities, which are made up of the ever-accumulating bits of electronic information that increasingly represent the bulk of our identity and net worth, which can disappear in minutes from a sharp dip in the markets, or in the blink of eye with just the click of a mouse.

The economic downturn is further exposing our financial identities to fraud and exploitation from external threats such as criminally intent hackers, as well as from internal threats like budget cuts, cutting corners on security due diligence, or cash-hungry employees who may succumb to the temptation to sell sensitive data in the lucrative information and identity black-markets that thrive on the Internet.

Another big problem is that despite Heartland's assurances, the company understands neither the size nor scope of the breach, let alone how it happened.

"Heartland does not yet know how many card numbers were obtained. Many reports in the press are speculative," the press release states.

Well, there is a lot to speculate about.

Given the financial industry's record of not fully disclosing damaging information to consumers or shareholders, even as required by law, it can be expected that further details of this case will reveal this breach is much worse than anyone is letting on, especially Heartland executives.

Heartland is the sixth-largest payment processor in the country, with as many as a quarter of a million payment and payroll clients, and they may be only one of many similar companies targeted in a broader criminal activity meant to defraud through malicious software known as "malware."

Visa (V) and MasterCard (MA), who first recognized discrepancies in their own records, notified Heartland of a potential problems late in 2008.

"Visa and Mastercard instructing many card issuers to offer fraud-monitoring protection, replace cards, or do a combination of both for customers whose card purchases were processed by Heartland."

Visa and MasterCard wouldn't elaborate, citing an ongoing FBI criminal investigation.

"Heartland should feel urgency to notify everyone who could be a victim, says Todd Davis, CEO of LifeLock, a fraud-monitoring service. "Victims are sitting naked, not knowing whether to take extra steps to protect themselves," he says. "The default should be toward notifying all possible victims," according to the Detroit Free Press.

Oh yes! The victims of this fiasco - what is on the agenda for them? Heartland's press release instructs them to basically fend for themselves for now, which is a fairly typical response to consumer data breaches.

"Consumers will know if their card account numbers have been used by reviewing their monthly statements. Cardholders should report suspicious activity to their issuing banks (the bank that issued the card, not the card brand). If unauthorized use is confirmed, cardholders are reimbursed for the fraudulent purchases and are not held financially responsible," Heartland assures in their press release.

Sounds painless enough, but I really doubt it will be pain free for those who will have to deal with it.

Not only will this be a tremendously stressful and potentially time consuming endeavor for the affected cardholders, this is also a tremendous drain on the financial resources of an already troubled industry.

Heartland's stock value has lost more than 50% of its twelve-month high. Visa (V) and MasterCard (MA) have seen similar declines. Ultimately, the lawyers will join the fray, multiple lawsuits will be filed, the costs will continue to climb, and shareholder value will continue to decline.

Information and data security are essential to protecting every single individual's financial identity, and every corporation's value from falling prey to the most sophisticated forms of cyber-attack conceivable.

President Obama has indicated he is taking cyber-security very seriously, going so far as to announce the pending appointment of a cyber-advisor to spearhead efforts.

In this age of electronic everything, more than at any other time in history, losing data translates in very real terms to losing dollars, and that is widely accepted across most industries.

Moving forward, we should also start thinking of our financial identities, our investments, our assets, and all of our wealth as really being nothing more than data. Data to be to be kept safely, not lost or stolen.

Carr concluded, "Just as the Tylenol crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data - and therefore businesses and consumers - much more effectively."

If Carr is comparing this breach to the Tylenol poisonings, a textbook commercial and consumer nightmare of epic proportion - including multiple deaths - then you know this breach is going to be something really, really big in the end.