Trouble in the Heartland

Filed Under: SophosLabs

Heartland Payment Systems are reporting today that they had a data breach in their payment processing network last year. The full text of Heartland's statement can be seen here. Heartland are quite definite when explaining what was not stolen but do not mention exactly what was stolen.

"No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach."

It appears that the information stolen consisted of the encoded details from the magnetic strips of credit and debit cards. That includes the card number and cardholder name and is enough information to create fake cards. Although addresses were not compromised by this breach, making 'card not present' fraud more difficult, this provides one more piece in the puzzle for anyone trying to assemble stolen identities. A name and card number from one breach could be used along with a name and address from another source to build a more complete identity.

This breach once again emphasizes the need for secure encryption of valuable information both in transit and at rest.

Heartland may find that their tagline "The Highest Standards The Most Trusted Transactions" is perhaps not so true today as it was yesterday.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Richard manages SophosLabs' operations in the United States. His principal security interests are endpoint security and user education. When he's not worrying about digital perils he enjoys singing, much to the distress of his cat, whose name does not feature in any of his passwords.