A Whale of a Data Breach Surfaces
One hundred million or more MasterCard and Visa cardholders may have had their personal information compromised in the latest security data breach by payment processor Heartland Payment Systems.
The firm’s payment processing platform handles about 100 million transactions a month for 250,000 businesses. The source of the breach, undiscovered until last week, was apparently in place for a while; fraudulent activity reports by MasterCard and Visa began showing up late last year on cards that were used at Heartland’s client/merchants to process payments. About 40% of Heartland’s clients are small- and mid-sized restaurants.
The source of the breach was malicious software that surreptitiously collected customer data as it was sent for processing to Heartland by the company’s retail clients. The stolen data include names, credit and debit card numbers and expiration dates.
But then, there’s a good chance you haven’t heard about this because Heartland’s announcement of the breach, the largest in history, was released on January 20, a day when most people were focused on the presidential inauguration. Some suggest the timing of the announcement was no accident.
What’s more galling, though, is that Heartland President Robert Baldwin said it wasn’t “appropriate” for the company to offer consumers identity theft protection services because only names, credit/debit card account numbers and their expiration dates were lifted. Without addresses, he said, it would be difficult to fashion counterfeit credit cards without that information. According to Baldwin,
“In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible. At the same time, we recognize and feel badly about the inconvenience this is going to cause consumers.”
Maybe what Mr. Baldwin is really concerned about is the inconvenience of providing free identity theft protection monitoring services to roughly one-third of the U.S. population.
