A data breach disclosed last week by Heartland Payment Systems Inc. may displace the one revealed by The TJX Companies Inc. in January 2007 as the largest compromise of payment card information to date.
Heartland, a Princeton, N.J.-based payment processor, said intruders broke into its systems sometime last year and planted malware that they used to steal credit and debit card data.
A Heartland spokesman said Thursday that the company still had no idea how many cards had been compromised. It wasn't even sure how long the malware had been on its network, he noted. "All we know is that it was there for a period of time in the second half of 2008," he said.
But given that Heartland processes more than 100 million card transactions per month, it's conceivable that the number of compromised cards could be at least that high, said Gartner Inc. analyst Avivah Litan. In the TJX breach, 45.6 million card numbers were stolen over 18 months.
"Everybody who processes card information is dying to know how exactly this happened," said Henry Helgeson, president and co-CEO of payment processor Merchant Warehouse Inc. "One of our frustrations right now is, if this is a new attack, we need to know about it."
The Heartland breach was the second disclosed by a large payment processor in recent weeks. On Dec. 23, RBS WorldPay Inc. said that the personal data of about 1.5 million card holders had been compromised in a breach of its systems.
The two incidents may point to a new -- and potentially more lucrative -- strategy on the part of cybercrooks. "Attacking a processor is much more serious than attacking a retailer," Litan said, adding that the payment industry as a whole needs to adopt "more radical" security measures.
This version of the story originally appeared in Computerworld's print edition.