The Princeton, N.J.-based company said it discovered last week that intruders loaded data-capturing malware onto its systems, allowing them to compromise credit and debit card numbers as they traversed the network, Heartland said in a statement.
The company, which provides processing and payment solutions to more than 250,000 companies, did not reveal how many card numbers potentially were exposed to hackers. But Heartland handles more than four billion transactions each year, according to its website. No Social Security or PIN numbers were involved.
Rich Mogull, founder of IT security consultancy Securosis, said the hackers made off with the data thanks to the same type of ploy used in a number of recent high-profile breaches, such as TJX and Hannaford. TJX lost an estimated 94 million credit card numbers, making it the largest reported data-loss incident in history.
"What we have now is a very clear trend," Mogull told SCMagazineUS.com. "If you look atthe largest breaches that we can definitely link to fraud, all relateto malicious software being installed somewhere in the payment system."
Heartland first was notified about a potential incident sometime last year, when Visa and MasterCard reported seeing a spike in fraud on accounts for which the company had processed transactions. Heartland hired a forensic team and after learning of the breach, notified law enforcement and deployed new security measures to detect anomalous behavior in real time.
"We understand that this incident may be the result of a widespread global cyberfraud operation," the company's President and Chief Financial Officer Robert H.B. Baldwin Jr. said. "Heartland apologizes for any inconvenience this situation has caused."
A U.S. Department of Justice spokesperson could not be reached for comment.
Experts questioned the timing of the disclosure. Reporting the event on the morning of President Obama's inauguration -- when most of mainstream media's attention was focused on the historical event -- was an ill-advised, if not deceptive, move, Mogull said.
"It's kind of like the kid in the class who thought he got away with cheating, but the teacher knew about it the whole time," he said. "This is one of the most significant days in modern history and they release this pretty much during the inauguration. So it's really hard to read it any other way."
Heartland was validated as Payment Card Industry Data Security Standard (PCI DSS) compliant on April 30, 2008, according to Visa, but the company's PCI status currently is "under review." The firm's PCI assessor is Trustwave, but a representative there could not be reached for comment on Tuesday.
"Compliance is not security," Brent Huston, security evangelist and CEO of MicroSolved, an information security assessor, told SCMagazineUS.com. "It's up to organizations to figure out how to move beyond compliance as their guiding world view to how do they reduce risk and protect data that really needs protecting. The big question is, if it's happening here, where else is it happening?"
The last major breach to impact a payment processor was at the now-defunct CardSystems Solutions, which suffered a breach of some 40 million accounts in 2005. Visa and American Express soon stopped doing business with CardSystems, which later that year was bought out by Pay by Touch, which itself shut down last year.
Alex Hutton, CEO of Risk Management Insight, said the same fate may await Heartland. He said data exposures that impact business-to-business entities are much more devastating than those that affect consumer retail shops.
If the credit card brands cut off ties with a processor, the businesses that accept the cards likely will do the same.
"[As a merchant], I can't turn away people using Visa cards," Hutton said.
Heartland's stock fell eight percent, to $14.18 per share, on Tuesday. A company spokeswoman did not respond to a phone call seeking comment.