Heartland data breach could be bigger than TJX's

A data breach disclosed Tuesday by Heartland Payment Systems may well displace TJX Companies' January 2007 breach in the record books as the largest ever involving payment data with potentially over 100 million cards being compromised.

Heartland, a N.J.-based provider of credit and debit card processing services said that unknown intruders had broken into its systems sometime last year and planted malicious software to steal card data carried on the company's networks. The company, which is among the largest payment processors in the country, claimed to have discovered the intrusion only last week after being alerted by Visa and MasterCard of suspicious activity.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

The card companies' alerts triggered a subsequent investigation by "several forensic investigators" during which the intrusion was discovered, Robert Baldwin Jr., Heartland's president and CFO, said in the statement. The company said the intrusion may have been the result of a "widespread global cyberfraud operation".

Heartland claimed that no merchant data, cardholder's Social Security numbers, or unencrypted personal identification numbers (PIN), addresses, or telephone numbers were compromised.

As with most data breach notifications, Heartland offered no explanations on when it was first informed of the breach by the card companies, when in 2008 the company had been breached, how long the intruders had remained undetected, or how many cards might have been compromised in the intrusion. A company spokeswoman did not immediately respond to requests for comment.

But given that Heartland processes more than 100 million card transactions per month, it is very possible that the number of compromised credit and debit cards is at least that much, if not more, said Avivah Litan , an analyst with Gartner. "It does look like the biggest ever," Litan said. The TJX breach involved the compromise of over 45 million cards.

It also appears that those behind the breach "made off with the gold" by intercepting and stealing the so-called Track 2 data from the magnetic stripe on the back of cards, which is all that's needed to create counterfeit cards, Litan said.

Dan Clements, president of CardCops , an identity protection service of Affinion Group, said that he has noticed activity in underground chat rooms that suggested a major compromise at a processor such as Heartland.