Another Month, Another Massive Credit Card Data Breach

Don’t be too surprised if you get a letter from your bank or credit union in the next few weeks telling you it’s replacing your credit card. If your data was among the latest set compromised, Visa and Mastercard are already alerting financial institutions so they can cancel the account number.

There’s no official word on which payment processor was hit this time. Our tipster says his credit union told him it was Heartland Payment Systems yet again, but after we published this post on Monday afternoon, the Executive Director of Marketing at Heartland wrote us to say it was not:

We, too, have heard of a new breach. But, we can say with confidence that it is not at Heartland.

Nancy Gross
Executive Director of Marketing
Heartland Payment Systems

Here’s what our original tipster was told by his credit union:

I was just contacted by my credit union that both my MasterCard check cards had been compromised. I was told by my credit union that the breach occurred through Heartland Payment Systems.

I was told that they process the payment for over 175,000 retailers, and that thousands of people at my CU alone had been impacted.

So Heartland says it’s not them—then who is it? In SC Magazine US, a security expert says that Visa and Mastercard know who the processor is, but won’t name names:

The victim in this case appears to be a provider that processes online transactions, said David Shettler, vice president and CTO of Open Security Foundation, a nonprofit that researches data breaches.

He told on Monday that the group has been receiving tips about the breach since Feb. 12, but few details have been confirmed.

“What concerns me is that Visa and MasterCard, they clearly know who it is,” Shettler said. “That just won’t say anything because the processor hasn’t come clean. The of sort feel it gives people is that Visa and MasterCard are covering for some unnamed organization.”

ComputerWorld notes that the blog Office of Inadequate Security has posted notices from “the Tuscaloosa VA Federal Credit Union in Alabama, the Pennsylvania Credit Union Association, the Community Bankers Association of Illinois and the New York State Consumer Protection Board,” as well as the Alabama Credit Union (also in Tuscaloosa).

As with the Heartland breach reported in January, it’s likely that only account numbers and expiration dates were grabbed, and not SSNs or PINs.

“Just weeks after Heartland breach, another payment processor said to be hit” [ComputerWorld] (Thanks to Steven!)
“Visa confirms another payment processor breach” [SC Magazine US] (Thanks to Mike!)

“Banks starting to report breach at unnamed processor” [Office of Inadequate Security]
(Photo: Ollie Crafoord)


Edit Your Comment

  1. mike1731 says:

    My teenage daughter received a letter from our bank notifying they were reissuing her debit card naming Heartland Payment Systems as the source of the breech. Just out of curiosity, any idea what companies use Heartland? Amy asked me so she could avoid shopping there again.

    • PoleMan14 says:

      @mike1731: Heartland did not release the information for that specific reason.

    • startertan says:

      @mike1731: Not to mention if they do service over 175,000 retailers I’m sure it would be hard to avoid all the people they provide services for. Probably wouldn’t be able to buy groceries or go to Lowe’s anymore…

      Time to put another credit freeze on my accounts just in case.

    • Chris Walters says:

      @mike1731: Unfortunately, the stores that use Heartland weren’t really responsible for the breach reported in January, either. It was all Heartland’s doing, and from what I understand Heartland wasn’t exactly forthcoming to its customers either.

      You could argue that the stores and restaurants that were affected by the Heartland breach should drop Heartland and go with another payment processor, but Heartland isn’t unique in being attacked. Another processing company, RBS WorldPay, announced a similar attack back in December. And it’s quite possible that this most recent one won’t be Heartland but yet another company.

      The problem for us, as consumers, is that we can’t directly impact the companies responsible for this. You could boycott stores and restaurants that use Heartland I suppose, but there’s no guarantee the next payment processor they jump to (since they pretty much *have* to use one for credit card payments) will be any better prepared to fend off an attack.

    • Farquar says:

      @mike1731: Why would you stop using the retailers? The retailers have done nothing wrong in this situation. They have no control over what happens to the data once it hits the processor’s servers.

  2. Oranges w/ Cheese says:

    I just have to say that “office of inadequate security” is THE BEST EVER.

  3. lodleader says:

    I agree office of inadequate security FTW

  4. seajane says:

    You almost can’t avoid using Heartland. Many, many gas stations, convenience stores, small and medium businesses all use Heartland for processing. Many don’t know it — they think their bank is doing processing the charges but Heartland is the intermediary and clearing.

  5. "I Like Potatoes" says:

    Well this explains the letter and the new cards I got from USAA today. You can count on Consumerist to explain it better than the bank can.

  6. gqcarrick says:

    My parents got a letter in the mail saying their credit card was being replaced, I wish I knew what website they went on or what place caused the whole fiasco.

  7. oneandone says:

    I think this is it for me and credit cards. I’m fed up. Not that it’s Mastercard or Visa or whichever issuer’s fault, but being a responsible credit card user has become much more of a time suck than I’m interested in. What with all the arbitrarily reducing credit limits (AmEx), raising APRs (Citibank), canceling cards I haven’t used in a year (WaMu/Providian) my orderly system of using just one card very judiciously has now become, in just a few months, a crazy mess of trying to spread out purchases on different cards to keep them active but still pay them off immediately – and of course they all have different closing dates. I’m interested in keeping them active because it seems like my very nice credit score is being propped up by my 3 oldest cards, which have the worst terms but are about a decade older than anything else I’ve got.

    And now I have to check all of them constantly to see if there are unauthorized purchases. Enough. I’m done. Cash only and I don’t plan on buying anything online anytime soon. Credit cards, you have given me way too many hoops to jump through just to keep tabs on everything.

  8. Pixelantes Anonymous says:

    I just got my business credit card compromised on Friday.

    Three unauthorized charges, one of which was refused because the CCV was entered wrong, before my bank blocked the card.

    Definitely something got compromised again somewhere.

  9. jozhua says:

    My bank sent me a letter about 2 weeks ago citing the data breach from Heartland as the reasoning for me to come in and get a new card. I have only used my card when paying utility bills for the past year and a half. I got a Capital One card that I use for all my on-the-go purchases & pay it off every month. I like the free rewards and the peace of mind I get knowing that there isn’t a CC# linked directly to my funds floating around through all the retailers. Of coarse maybe I should switch to my real credit card for paying my utility bills as well.

  10. adb1158 says:

    My FSA (Flexible Spending Account) payer, ADP, just reissued my card because of Heartland’s data compromise. The letter also stated that no SSNs were compromised.

  11. Whitney Robinson says:

    I work at a bank and we’ve had at least 2 compromises this year thanks to Heartland- now I hear that this is #3?! Not only is this a pain for consumers, but banks aren’t benefiting either from this- it wouldn’t surprise me if numerous people leave their banks and switch (not that, in this case, it’ll do them any good) in order to prevent this from happening again.

  12. boricuachick says:

    Well, crap. I’ve only had my new VISA debit card for a few weeks since the last security breach. This is the 4th time in the last few years that my account has been compromised. Thanks for the heads up, though. My bank NEVER tells me when they cancel the card and so most times I find out when I am in line at the supermarket and my card is declined and then everyone gets to stare at me like I’m some deadbeat loser LOL.

  13. bohemian says:

    Oh great. I better start digging through the mail from last last week to see if the bank sent me anything. When TJMaxx lost my data my card just quit working while I was in line at Target. What I thought was our bank statement was a letter informing me of the data breech and my new card so I didn’t open it right away.

  14. Anonymous says:

    Whitney: did you actually get notified of two separate breaches involving Heartland or was the second notification a notice on or about Feb. 9th about card-not-present fraud involving an unnamed processor? As far as I know, Heartland only had one breach and the second processor hasn’t been named yet. The second breach occurred February 2009 into January 2009.

    Office of Inadequate Security

  15. Teradoc says:

    Huh, I just had some douchebag rack up a $250 purchase in New Jersey here 2-3 weeks ago and Wells Fargo was all over it thankfully like a hobo on a cheese sandwhich and let me know about it right away to allow me to close the account. So hurrah WF but anymore I am getting very suspicious of even having a credit card anymore and maybe just going to cash only and if buying something online using the credit card only then.
    The amount of data breeches and unauthorised uses anymore is just becoming paramount, especially if what they say this is the 3rd time for just one company….AND it is only the end of February!

    • Anonymous says:

      @Teradoc: What i suggest is the method my husband and I use. Cash for everything, and a pre-paid credit card for any internet purchases. You can load as much or as little as you want, so the losses are minimal if someone gets ahold of it.

  16. WaywardSoul says:

    Quite a few locals have been informed that their credit or debit cards were compromised recently. In all cases I’ve heard of Walmart was mentioned as the retailer involved, so it may have been an inside the local store job. Figured it’s worth mentioning anyway though.

  17. Lynn12 says:

    I have two bank accounts, one at a S&L and one at a CU for just this reason. If one gets nailed with a data breach, then I’ll have the other secure one, right?

    Nope, Heartland nailed the first card (just got my replacement today) & two days ago I got a letter for my second bank card telling me it would be monitored for suspicious activity. This sucks since I’ll be out of town in two weeks & will likely not be able to use that card at all.

    Thanks boneheads for not keeping my data safe!

  18. valen says:

    I am starting to wonder if there are any penalties for credit card processing companies that routinely loose customer data due to lack of due diligence.

    If I were a legislator, I would seriously look at creating a law designed to penalize, through financial penalties and full public disclosure, negligent processing companies that fail to provide due diligence in protecting customer data. If we had a law like this, credit card processors may be tempted to clean up their act rather than proceed like the entire episode never happened.

  19. Stephanie Haller says:

    I just need to stop reading the internet. I’m sick of all the bad news.

  20. Anonymous says:

    If you receive word from your bank stating that your card may have been compromised due to Heartland’s breach, keep in mind that it may be from the previous Heartland breach, and may not indicate that this new security breach is from Heartland. The bank I work for initially tightened security parameters for all Heartland-compromised cards, but recently decided to reissue those affected cards. The reason they weren’t just reissued to begin with? That’s over 12,000 cards for our state-wide bank alone.

    Plus, our card processing center has asked us to extend the ETA of the cards from 5-7 business days to 10-12 business days because of the sheer number of banks performing mass reissues. My advice: read your mail! Typically, if a card needs to be reissued and has not acquired any fraudulent transactions, it will deactivate several weeks after the letter to inform you of the situation was generated.

  21. Anonymous says:

    Most companies enjoy “security” insofar as they haven’t been targeted, or had an employee make a human error with catastrophic exposure. Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture – absent new eCulture, breaches will, and continue to, increase. For example: Microsoft patched for the worm affecting Heartland 4 months ago. As CIO, I’m constantly seeking things that work, in hopes that good ideas make their way back to me – check your local library: A book that is required reading is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium.” It also helps outside agencies understand your values and practices.
    The author, David Scott, has an interview that is a great exposure:
    The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
    In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome – or propagate one.

  22. Trencher93 says:

    “The of sort feel it gives people” – huh?

  23. Megladon says:

    The only way to make this stop is to sue them or take money away, since we cant stop using them if they are a middle man in a transaction, we need to sue them, only when it starts costing them more then it will cost to fix the problem will they actuly bother to fix it.

    And another poster was right, the name Office of Inadequate Security is about the best name and most accurate to be reporting something like this.

  24. sqlrob says:

    We found out on Sunday when we tried to logon online to balance and make a payment. It was blocked. Stupid Citibank, a disable the mechanism by which a customer can tell if there’s any problems with a compromised card.

    The card itself was still usable however (???)

  25. aerick79 says:

    I work in Customer service for debit and Credit cards. We rec’d tons and tons of calls about this. The Banks really don’t know if you credit or debit cards numbers were Compromise. They are just being safe.

    Gotta love hackers

  26. aerick79 says:

    Oh this is old news BTW

  27. SableHemlock says:

    Both my credit card and debit card are being reissued. I’ve gotten the new debit card, now I’m just waiting for the new credit card.

  28. Gaianna says:

    I just got my shiny new Debit Card today, My bank says it was due to Heartland.

  29. theblackdog says:

    I was hit by this breach and I had to call to have my card cancelled and blocked because someone used my number to buy a subscription to a porn website, then two days later I got a letter from my bank that my number may have been compromised.

    I want names, and I hope they’ll hand them over.

  30. Anonymous says:

    Where is the public outcry about this crap that just KEEPS occurring because these businesses don’t want to spend the money to properly secure information about millions of consumers? The folks who decide *not* to secure our information properly ought to be hung on spikes in front of the credit card buildings.

  31. Christopher Durbin says:

    “We, too, have heard of a new breach. But, we can say with confidence that it is not at Heartland.

    Nancy Gross
    Executive Director of Marketing
    Heartland Payment Systems”

    Ooops! Sorry we are not buying what you are selling anymore.

  32. girly says:

    How can the credit card companies not do a who/what/when/where associated with the breach?

    Even if there is no personal data at the processor, don’t they at least have transaction numbers or something that the card companies themselves can tie back?

    I and people I know are getting tired of the ‘we closed your card for your protection’ with no explanation of how they found out. (Other than that some entity, which they don’t name, contacted them.)

    The way they worded it to me at first I seriously thought that some random person off the street called and closed my card!

  33. Sidecutter says:

    This is the first time I’ve apparantly been caught in this. I just got down the list to this article today, and sure enough, I was mailed a letter from 5/3 Bank yesterday telling me that one of my cards was going to be forcibly retired as of March 12th. They’re sending a new one “Within the next week” that I am supposed to activate immediately in order to nullify my old card.

    Of course this comes when I’m expecting registration forms for an event to go up between Tuesday and Friday this week. These forms need to be filled and faxed *immediately* to ensure I get what I’m after (very limited availability for some events). They should be processed no more than 7-10 days later, but now I have to hope they do so before my current card is forced to expire on me, or hope that my new card arrives before the forms go up so I can activate and test it in time.

    Which makes me think of George Carlin, and his seven words you can’t say on TV…

  34. Kelvin Lu says:

    I think many of the comments here reflect a poor understanding of the complex difficulties in “securing” data. Security is a process that is dependent on what your data is doing. Depending on what data is being secured and where that data is coming from and going to, many parties need to be involved from the hardware and software developers to the banks to the card associations (Visa, etc.) and to the card processors. The US has the world’s lowest rate of fraudulent payments activity. We also have high standards of securing data. The unfortunate reality is that these standards are constantly being threatened by malicious entities.

    As a consumer, it is always easiest to blame something on one thing whether it’s a plane crash or a security breach. The reality is far more complex.

    Criminals perpetrated this breach. Why not blame law enforcement? Why not blame the country with the lax laws that permit such entities to freely operate with no easy way for foreign entities to prosecute them? The culprits in the Heartland breach were foreign. In addition to the data thieves, there are the fraudsters using the data to steal money. If someone robs a bank, do you blame the bank for not having enough security? There will always be instances when you have good security but it is not enough.

    The unfortunate reality is that these incidents happen.

  35. chix says:

    I constantly get these notices from Citibank to close my account due to a “security breach” from Mastercard International. I ask for a little more detail and they say that it is under investigation and they have no further information to supply.

    This last time, I refused to change accounts/cards and Citibank accepted that response.

    My question is “am I liable for a fraudulent charge on my account if I refused to close it for this reason”?

    I would think that only the standard $50 rule applies in all cases but that is why I am asking this question here.

    The least they could do is give the consumer more details so they can decide if this really does affect MY ACCOUNT. It is a hassle to keep going through this time after time, let alone have your card declined at a merchant due to a massive security block.