Heartland Payment Systems are reporting today that they had a data breach in their payment processing network last year. The full text of Heartland’s statement can be seen here. Heartland are quite definite when explaining what was not stolen but do not mention exactly what was stolen.
"No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach."
It appears that the information stolen consisted of the encoded details from the magnetic strips of credit and debit cards. That includes the card number and cardholder name and is enough information to create fake cards. Although addresses were not compromised by this breach, making ‘card not present’ fraud more difficult, this provides one more piece in the puzzle for anyone trying to assemble stolen identities. A name and card number from one breach could be used along with a name and address from another source to build a more complete identity.
This breach once again emphasizes the need for secure encryption of valuable information both in transit and at rest.
Heartland may find that their tagline “The Highest Standards The Most Trusted Transactions” is perhaps not so true today as it was yesterday.