Debit Card Data Breach Compared to TJX

A significant data breach involving an as-yet-undisclosed source and multiple card-processing networks is prompting banks to warn customers about possible fraud and in at least one case deactivate 8,500 debit cards.

(Update: Mystery solved. Heartland Payment Systems just moments ago announced "it was the victim of a security breach within its processing system in 2008. ... After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland's network." I'm hearing that the Heartland news is related to the rest of this post. ... Update 2, 1:45 p.m.: Playing phone tag with Heartland.)

(Update 3, 2:15 p.m.: "Larger than TJX?" See below for details ... also Heartland interview.)

"We really don't have too many more details, but have noticed that credit unions in at least five states from Florida to Oregon have placed 'alerts' on their Web sites about a 'possible breach,' " says Kelly Todd, who helps maintain the Open Security Foundation's DataLossDB. "The breach itself may be from a major retail store, a fuel chain, or something else."

According to this story from the TimesTribune.com in Kentucky, Forcht Bank is among those taking steps to protect its customers.

Eddie Woodruff, chief operations officer for the bank, confirmed that 8,500 of the bank's roughly 22,000 total debit cards had been deactivated, but the move was primarily a precaution.

"Right now, none of our customers have reported any fraudulent activity on the cards," Woodruff said. "We're just trying to take every precaution."

The cards were comprised when a retail merchant's computer system was hacked, Woodruff said. The breach affected customers of multiple banks and multiple debit and ATM networks.

According to a statement posted on Forcht Bank's site, "some unknown persons are possibly creating duplicate debit cards." The bank learned of the breach through its debit card processor, First Data Corp, which operates the Star Debit & ATM Network

A spokesperson for First Data told the TimesTribune that "the debit card issue we were alerted to could affect not only Star but also other debit networks."

"While we do not comment on specific matters pertaining to our customers, we can tell you this situation is not related to any First Data processing systems or practices," the spokesperson told the newspaper. "We are working with our clients, the card associations and card issuing and acquiring banks to monitor and help mitigate the issue and protect consumers."

While DataLossDB is "hearing rumblings that this is a significant breach," there's no reliable way at the moment to determine if these next few items are dots that can be connected ... or just dots in the never-ending data-breach parade.

This story over the weekend in the Kennebec Journal tells of 1,500 customers of the Kennebec Savings Bank in Augusta, Maine being notified that their card information had been compromised. The bank was replacing cards only upon request.

Here police in Salem, Oregon report a rash of actually compromised debit-card accounts held by the Oregon Territory Federal Credit Union.

A flashing "Debit Card Alert" message on the homepage of Franciscan Skemp Credit Union in Wisconsin leads to this detailed warning (.pdf).

Again, it's worth emphasizing that I do not know for certain whether these warnings are related to the Forcht Bank actions in Kentucky. One reason we don't know, of course, is that corporate butt-covering almost always trumps public interest in these cases.

Says Kelly Todd of DataLossDB: "It would be proactive, consumer-friendly, and nice if all entities involved would be willing to come forward and openly say 'Company X was involved in a breach of personal or financial information at Y locations, which may affect Z number of people, who may or may not have had their information handled by A corporation, so if you have any questions, please contact us and we'll do our best to do what's right for you."

"Sorry to say," Todd adds, "it's probably not going to happen.

(Update 3, 2:15 p.m.: Just got off the phone with Robert Baldwin, president and CFO of Heartland Payment Systems. He tells me:

The spate of bank and credit union warnings last week and over the weekend are "at least related" to the breach of his company's network. However, "there appears to be no relationship" between that breach and the incident involving Forcht Bank in Kentucky.

Regarding an e-mail forwarded to me and purportedly from someone within the Independent Community Bankers of America (ICBA) calling the Heartland breach "larger than TJX": "We can't speculate on how big it was. Clearly it's not a few hundred cards or anything like that." He rejected out of hand any comparison with TJX because, he said, no one within his organization could make such a determination, never mind someone from the outside. The company does process 100 million transactions per month.

Heartland's press release speaks of the company being a "victim," so I asked if they are also accepting responsibility for what happened: "Absolutely," he said, "we are heartsick over this. It's literally sickening."

While there are indications that the malicious software had compromised Heartland's network as long ago as mid-May (Baldwin would not confirm that), he said it was "just last week" that forensic examinations definitively pinpointed Heartland as the source of the breach.

"We know there has been fraudulent use" of account information, he said, although they do not know how many instances.)

(Update 4, 2:30: Washington Post adds to speculation that this breach may turn out to be among the largest ever.)

Subscribe to the Security Watch Newsletter

Comments