In what could result in one the country's largest data breaches, Heartland Payment Systems said Tuesday that its payment processing system was compromised in 2008 by a widespread criminal operation.
"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," Robert Baldwin, Jr., Heartland's president and CFO, said in a statement. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."
Visa and MasterCard first alerted the Princeton, N.J.-based company after noticing suspicious activity involving processed card transactions, Heartland said.
Heartland Payment Systems offers credit, debit, prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide, the company said.
Baldwin told the New York Times that key information, such as card numbers, expiration dates, and cardholder names may have been exposed after malware intrusion attacks on its processing systems, where data had been left unencrypted.
Sniffer software was used to capture data that was exposed as Heartland sought authorization from the major payment companies and banks, Baldwin told the Times. Users of Visa, MasterCard, American Express and Discover Financial cards were vulnerable.
"We have industry-leading encryption, but the data has to be unencrypted to request the information," Baldwin said. "The sniffer was able to grab that authorization data at that point."
The personal data of 600 million or more cardholders was left vulnerable, but data had apparently been extracted from far fewer accounts.
The Heartland breach could become the country's largest of its kind, rivaling the January 2007 breach of the discount retail chain TJX that compromised data of more than 45 million customers.
Heartland says it has taken steps to secure its systems, and that it will implement a next-generation program designed to flag network attacks and notify law enforcement authorities.
"Heartland apologizes for any inconvenience this situation has caused," Baldwin said in a company statement. "Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective."