January 22, 2009, 10:43 AM — SAN FRANCISCO (AP) -- As data breaches go, a single merchant getting hacked is bad enough. Even worse is an intrusion into the systems of big payment processors, which could potentially put customer credit card data at risk at the hundreds of thousands of merchants whose transactions are crunched there.
The revelation this week by Heartland Payment Systems, the sixth-largest payment processor in the U.S., that criminals had secretly installed spying software on its computer network could go down as one of the biggest data breaches on record.
Heartland says it has closed the security hole that allowed criminals to infiltrate their systems, but the matter is far from settled. The company will likely have to pay big penalties to banks to reimburse the cost of issuing new cards, and analysts say the intrusion could even threaten the company's survival if the big card brands decide to cut off Heartland from connecting to their networks.
One big payment processor, CardSystems Solutions, went under after a 2005 data breach in which 40 million credit card accounts were compromised and the big card brands stopped doing business with CardSystems. Representatives for Visa Inc. and MasterCard Inc. declined to comment.
Heartland says it doesn't know yet how much data was stolen, since the malicious program was capturing data as it flowed across the network, and in that type of intrusion it's hard to figure out how much data was snatched in transit by the interlopers. But the potential damage could be very large because Heartland processes 100 million transactions a month, mostly for small to medium-sized businesses.
The company says the average merchant in its network does about $350,000 a year in Visa and MasterCard transactions.
Security experts say it's fair to assume the worst until Heartland gets its arms around the size of the problem.
"Data breaches are like pregnancy -- you can't be partly pregnant, and once your data has been compromised, you have to assume all your data's been compromised, unless you can prove otherwise," said Michael Argast, security analyst with the Sophos security software firm.
Unlike a breach involving a single merchant, where the retailer risks losing its customers' confidence, a payment processor that's breached risks losing the confidence of its merchants, which Argast said was much more significant. Consumers typically don't have to pay for fraudulent charges on their accounts, whereas merchants can be saddled with big costs when their businesses are the victims of fraud.
The industry's security requirements call for payment processors to have separate networks -- one for the financial transactions, and another for their general corporate tasks. Heartland won't say how the malware got into the network that processes financial transactions or when it was planted there.
"If you're actually able to compromise that protected network, you're in, man -- you have the keys to the kingdom," said Mike Rothman, senior vice president of strategy for security software vendor eIQnetworks Inc. "I presume they were able to sniff a large part of the payment traffic at the time the network was compromised."
Robert Baldwin, Heartland's president and chief financial officer, said the thieves accessed a part of Heartland's network that handles transactions for 175,000 of the 250,000 merchants the company works with. He said the program slipped past Heartland's antivirus software and was able to read data in unencrypted form as it was passed from Heartland to the card brands.
Baldwin said Heartland uses heavy encryption, which means its data is cloaked in special computer coding so unauthorized computers can't read it, but added that the data has to be sent in unencrypted form to the card brands, which is where the criminals were able to spot it.
The biggest exposure was for card numbers and expiration dates, and in some cases the cardholders' names, Baldwin said. He emphasized that no PIN codes were believed stolen. Baldwin added that the company passed an industry-mandated security inspection in April.
"Unfortunately the bad guys are very, very good," he said. "The malware we encountered did not, and does not, get very well captured by antivirus software, so it's a challenge we're going to have to keep working as an industry to combat."
Heartland hasn't identified the merchants that may have been affected by the breach, so it's difficult for consumers to identify whether they might be victims of fraud. Security experts consistently advise people to monitor their credit card statements for unusual charges -- even small charges, which can mean criminals are testing the account out to make sure it works -- and to limit their purchases on debit cards since debit-card fraud sucks cash directly out of victims' accounts.