Another Month, Another Massive Credit Card Data Breach

Don’t be too surprised if you get a letter from your bank or credit union in the next few weeks telling you it’s replacing your credit card. If your data was among the latest set compromised, Visa and Mastercard are already alerting financial institutions so they can cancel the account number.

There’s no official word on which payment processor was hit this time. Our tipster says his credit union told him it was Heartland Payment Systems yet again, but after we published this post on Monday afternoon, the Executive Director of Marketing at Heartland wrote us to say it was not:

We, too, have heard of a new breach. But, we can say with confidence that it is not at Heartland.

Nancy Gross
Executive Director of Marketing
Heartland Payment Systems

Here’s what our original tipster was told by his credit union:

I was just contacted by my credit union that both my MasterCard check cards had been compromised. I was told by my credit union that the breach occurred through Heartland Payment Systems.

I was told that they process the payment for over 175,000 retailers, and that thousands of people at my CU alone had been impacted.

So Heartland says it’s not them—then who is it? In SC Magazine US, a security expert says that Visa and Mastercard know who the processor is, but won’t name names:

The victim in this case appears to be a provider that processes online transactions, said David Shettler, vice president and CTO of Open Security Foundation, a nonprofit that researches data breaches.

He told on Monday that the group has been receiving tips about the breach since Feb. 12, but few details have been confirmed.

“What concerns me is that Visa and MasterCard, they clearly know who it is,” Shettler said. “That just won’t say anything because the processor hasn’t come clean. The of sort feel it gives people is that Visa and MasterCard are covering for some unnamed organization.”

ComputerWorld notes that the blog Office of Inadequate Security has posted notices from “the Tuscaloosa VA Federal Credit Union in Alabama, the Pennsylvania Credit Union Association, the Community Bankers Association of Illinois and the New York State Consumer Protection Board,” as well as the Alabama Credit Union (also in Tuscaloosa).

As with the Heartland breach reported in January, it’s likely that only account numbers and expiration dates were grabbed, and not SSNs or PINs.

“Just weeks after Heartland breach, another payment processor said to be hit” [ComputerWorld] (Thanks to Steven!)
“Visa confirms another payment processor breach” [SC Magazine US] (Thanks to Mike!)

“Banks starting to report breach at unnamed processor” [Office of Inadequate Security]
(Photo: Ollie Crafoord)