Malicious software injected into the payment processing network of a major US credit-card processing company could have led to one of the biggest data breaches ever reported, it has emerged.
Heartland Payment Systems has said the activity of cyber criminals had compromised its payments network. Some customer records may have been improperly accessed.
Potentially tens of millions of credit and debit card transactions could be involved. The business handles 100 million card transactions every month for 175,000 merchants.
Robert Baldwin Heartland’s CFO, said in a USA Today interview that the intruders had access to Heartland’s system for ‘longer than weeks’ in late 2008. He also said that the spyware has been described as being ‘light-years more sophisticated’ than the sort of maleware that is commonly downloaded from the web.
Alarms were first raised after Visa and MasterCard alerted the New Jersey-based company of suspicious activity surrounding processed card transactions.
Heartland emphasised that no merchant data or unencrypted PINs, or cardholders’ addresses or telephone numbers had been exposed as a result of the breach.
But the company has confirmed the hackers could have sucked off so-called track data from transactions it handled. Track data includes information such as card number, expiration date and some internal bank codes that could be used to make fake cards.
The number of victims is unknown. Previously, the largest known breach occurred when around 45 million card numbers were stolen from retail company TJX in 2005 and 2006.