By Lauren Otis, Staff Writer
Lauren OtisStaff Writer
Princeton-based payments processor Heartland Payment Systems said it believes it has contained a security breach of its credit card processing business, but not before transaction data from tens of thousands of merchants was compromised.
In a release, Heartland said it learned it was the victim of a security breach within its processing system in 2008.
”We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands,” stated Robert H.B. Baldwin Jr., Heartland’s president and chief financial officer, in a release. “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice,” Mr. Baldwin stated.
According to Heartland, no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach, nor were any of Heartland’s check management systems, payroll, campus or other payments operation.
Mr. Baldwin told the Associated Press that the cyber thieves accessed part of Heartland’s network, which accounts for 175,000 of the 250,000 merchants who use the payment processor’s services. Card numbers, expiration dates and in some cases cardholder names were obtained, he told the AP.
After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, Heartland said it enlisted the help of several forensic auditors to conduct an investigation. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network, according to the company.
Kefi Abramov, a relationship manager with Heartland, said there was no geographic pattern of affected merchants, but instead the manner of the breach affected merchants randomly.
”We are calling every merchant that we have,” Ms. Abramov said.
Ms. Abramov said Heartland made a conscious choice to announce the breach, feeling that full disclosure was in the best interests of all involved. Other financial institutions have been similarly breached, she said, but have chosen not to publicize the breach for fear of losing the confidence of their customer base.
”We prefer to publicize it and take the heat,” she said.
”What everyone should know is there was no chance of identity theft,” Ms. Abramov said, because no Social Security numbers or addresses were stolen during the data breach.
”The only people who are truly affected at all are the cardholders,” if their card information was stolen, she said. Heartland has created a Web site — www.2008breach.com — to provide information about the incident. In its release the company advised cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers, noting that cardholders are not responsible for unauthorized fraudulent charges made by third parties.
”Heartland apologizes for any inconvenience this situation has caused,” stated Mr. Baldwin. “Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective,” he stated.

