Hackers attack credit card processor in massive security breach
A U.S.-based company that processes credit card transactions for more than 250,000 businesses has uncovered a massive security breach, officials said Tuesday.
New Jersey-based Heartland Payment Systems said malicious software in its processing system was uncovered last week.
Canadian merchants were not believed to be affected, although consumers who may have travelled to the U.S. and used a Visa or MasterCard credit card are advised to check their credit card statements for any irregularities.
"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," Robert H.B. Baldwin Jr., Heartland's president and chief financial officer, said in a release.
"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are co-operating closely with the United States Secret Service and Department of Justice."
The company said the breach did not affect merchant data, social security numbers, unencrypted personal identification numbers, addresses or telephone numbers.
CBC News' Marivel Taruc, who spoke with Baldwin, said authorities suspect Heartland may not be the only company to have been hacked in this operation. Authorities suspect the extent of the breach could be among the largest ever committed.
"The other concern here [is] cyber experts are saying this could be the biggest breach of credit card fraud online ever … because Heartland processes 100 million transactions every month," Taruc said.
The largest online data breach — in which more than 94 million credit and debit cards were exposed — was committed in January 2007 against the TJX Cos.
A probe by the privacy commissioner's office found the Massachusetts-based parent company of Winners and HomeSense collected too much information, kept the data for too long and relied on weak WEP encryption technology to protect its wireless local networks.
The privacy commissioner also found the hackers did not use sophisticated equipment to break into the computer system.