Massive credit-card security breach

[Darth Wong]

Hackers attack credit card processor in massive security breach
Last Updated: Wednesday, January 21, 2009 | 9:41 AM ET
CBC News

A U.S.-based company that processes credit card transactions for more than 250,000 businesses has uncovered a massive security breach, officials said Tuesday.

New Jersey-based Heartland Payment Systems said malicious software in its processing system was uncovered last week.

Canadian merchants were not believed to be affected, although consumers who may have travelled to the U.S. and used a Visa or MasterCard credit card are advised to check their credit card statements for any irregularities.

"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," Robert H.B. Baldwin Jr., Heartland's president and chief financial officer, said in a release.

"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are co-operating closely with the United States Secret Service and Department of Justice."

The company said the breach did not affect merchant data, social security numbers, unencrypted personal identification numbers, addresses or telephone numbers.

CBC News' Marivel Taruc, who spoke with Baldwin, said authorities suspect Heartland may not be the only company to have been hacked in this operation. Authorities suspect the extent of the breach could be among the largest ever committed.

"The other concern here [is] cyber experts are saying this could be the biggest breach of credit card fraud online ever … because Heartland processes 100 million transactions every month," Taruc said.

The largest online data breach — in which more than 94 million credit and debit cards were exposed — was committed in January 2007 against the TJX Cos.

A probe by the privacy commissioner's office found the Massachusetts-based parent company of Winners and HomeSense collected too much information, kept the data for too long and relied on weak WEP encryption technology to protect its wireless local networks.

The privacy commissioner also found the hackers did not use sophisticated equipment to break into the computer system.

Wonderful. They process a hundred million transactions every month and they rely on WEP for security on their wireless networks.

[Admiral Valdemar]

Oh wow. Why didn't they cut out the middle-man and just hand out information CD-ROMs to passers by?

[Darth Wong]

Why aren't financial institutions ever sued for negligence? Or am I just not hearing about these lawsuits? It seems to me that the whole goddamned industry has been ridiculously careless for a long time now, and not just about network security.

[General Zod]

Why aren't financial institutions ever sued for negligence? Or am I just not hearing about these lawsuits? It seems to me that the whole goddamned industry has been ridiculously careless for a long time now, and not just about network security.

It probably doesn't help that the financial institutions have armies of lawyers at their disposal and you practically have to be a billionaire to even really consider suing them successfully.

[Glocksman]

Wonderful. They process a hundred million transactions every month and they rely on WEP for security on their wireless networks.

That's my employer's (TJX) breach, not Heartland's.
The article doesn't say how the malicious software got in Heartland's setup.

[Solauren]

Quite frankly, malicious software getting into any kind of finacial system reaks of pour security.

Maybe they shouldn't be sued, but someone should lose their job(s) over this.