A payment processor responsible for handling about 100 million credit card transactions every month disclosed today that thieves had used malicious software in its network in 2008 to steal an unknown number of credit card numbers.
The company's information site on the incident, http://2008breach.com/, attempts to downplay the loss of data by asserting that no Social Security numbers, unencrypted PINs or other types of data were stolen. But according to some good reporting from Brian Krebs at the Washington Post, Heartland's CEO says a piece of spyware stole payment card data as it passed through the company network, including the data from the magnetic stripe that can be used to create counterfeit cards.
Heartland says it didn't discover the breach until Visa and Mastercard came knocking about suspicious activity involving card numbers processed by Heartland. Disheartening, to say the least.
It's all the more sad that we as consumers really can't do a darn thing to protect ourselves against this kind of theft. We can be incredibly careful with our own PC and data, but we have no control over how it's handled by the plethora of companies that store and process our information. All you can do is to keep an extra close eye on your credit card statements and credit reports for anything suspicious.
You can pick up free credit reports from https://www.annualcreditreport.com (avoid those slimy sites that try to get you to pay for them). Also, as you scan your credit card statements, be on the lookout even for small charges, possibly even less than a dollar. Such charges can be a sign that thieves are testing the account to see if they can pass a fradulent charge, and may signal a much larger charge to come.
For more info on the Heartland theft, see Krebs' Security Fix posting and the Heartland disclosure site. And yes, you have to wonder about disclosing this on a day when most everyone's attention is focused elsewhere.