Heartland Payment Systems Hit By Data Security Breach

The systems penetrated by a malicious keylogger could result in a data breach that rivals the parent company of TJ Maxx in 2007.
While the company's Web site says the company handles more than 4 billion transactions per year, Baldwin said only about 1 billion of those were on the legacy Heartland network that was breached. The remaining 3 billion, the result of an acquisition the company made last May of the network services division of Alliance Data Systems, go over a separate network, which wasn't affected by the breach, he said.

He added that while the company handles roughly 100 million transactions per month, the number of unique credit card numbers processed is significantly less than that because some transactions represent the same credit card number being used at different merchants. While the actual total of affected accounts will depend on the number of months that Heartland's network was exposed, Baldwin said the company wasn't yet ready to disclose a specific estimate.

Baldwin said that in addition to an undisclosed system that's being implemented to shore up the Heartland network's defenses, his company is taking a variety of other steps to improve security.

He explained, "There are a host of things we didn't go into that we're implementing, some larger, some smaller, all of which are designed to say, 'OK, we had a commitment to high security. We were PCI compliant -- that was certified in April of last year. Yet we had this problem. Clearly we need to do more.' So our IT team is implementing as many additional precautions as it can as quickly as possible.

"We are really crushed by this," said Baldwin. "It's absolutely antithetical to everything Heartland stands for. We will therefore be redoubling our efforts to be the best processor out there. We obviously are pained by the inconvenience any consumers will have and look forward to coming out of this a stronger company."

If this data breach represents heartache for Heartland, security vendors see it as an opportunity to play doctor. "As the Heartland breach illustrates, you can be PCI compliant and still be breached," said Phil Neray, VP of security strategy at database security company Guardium, in an e-mailed statement. "Good compliance doesn't mean good security."