Malware Swipes Millions of Credit Cards

A security breach shows failings in security rules.

Tens of millions of credit cards could be at risk of fraudulent use thanks to a serious computer-security breach at financial-transactions company Heartland Payment Systems. Earlier this week, Heartland revealed that a piece of malicious software, apparently installed inside the company's transaction-processing system last year, had compromised credit-card data as it crossed the network.

Credit: Technology Review

The breach was announced on Tuesday--the day of the U.S. presidential inauguration--and, according to some experts, it shows that attackers are successfully defeating the financial industry's tough computer-security rules. "The potential is certainly there for this to be one of the biggest, if not the biggest breach we've seen," says Rich Mogull, founder of computer-security consulting company Securosis. "Something huge had to have gone wrong here."

It's not clear precisely what kind of malicious software was used, or how many credit-card accounts were compromised. But company president Robert Baldwin has said that Heartland handles as many as 100 million transactions per month.

From a consumer perspective, the level of danger stemming from the Heartland breach is uncertain but significant. Heartland has declined to say which merchants were involved in the fraudulent transactions, or how long the malicious software was operating. But the company serves more than 250,000 locations, with a particular focus on small businesses such as restaurants and hotels.

Heartland has created a website to answer customers' questions regarding the break-in. Some credit-card companies are already notifying subscribers, and others may simply issue new cards. But consumers have been warned to keep a close eye on their statements. Most credit-card companies will cover the cost of unauthorized activity completely, as long as the fraud is reported within several months.

Story continues below

Heartland executives say that their first danger sign came in the form of warnings from MasterCard and Visa regarding suspicious transaction activity related to the company's business. Heartland hired forensic computer specialists to investigate, and last week discovered the malware on its system, according to statements issued by the company.

Heartland says that the compromised data did not include personal information such as addresses, PIN numbers, Social Security numbers, or phone numbers, reducing the threat of full-blown identity theft. However, security experts say that the data stolen could be used to create cloned versions of the original credit cards, with nothing more complicated than blank magnetic-strip cards and a sub-$200 card writer. In most cases, these false cards would have to be used at a physical location since online purchases and other "card not present" transactions typically require a customer's address or other identifying information to be supplied.