PRINCETON N.J. Payment card data from customers at about 60,000 restaurants nationwide may have been stolen over the past several months, according to Heartland Payment Systems, a processor with several restaurant industry ties.
The processor said criminals – possibly a “global cyber fraud ring” – implanted data-stealing software within its network in 2008 that was detected last week after suspicious activity was spotted concerning some transactions. The number of customers affected has not been specified.
Much as consumers who follow issuer guidelines are not responsible for unauthorized purchases tied to stolen cards or data, "Merchants will not be liable for any losses associated with the breach," said Jason Maloni, spokesman for Heartland Payment Systems. It remains to be seen if restaurateurs dealing with Heartland will be harmed by possible losses of credibility among consumers ultimately defrauded through the breach, if any.
The thieves in the Heartland matter obtained card numbers and magnetic stripe data that may include card expiration dates and names, Heartland said. It noted that fraudulent purchases were detected in “the late fall” by card companies, setting off the investigation that uncovered the theft.
But Princeton-based Heartland stressed that no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers, or PINs, addresses or telephone numbers were involved in the breach. Also not breached, the company said, were Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.
Heartland Payment Systems, which reportedly processes more than $50 billion in transactions annually from about 250,000 businesses nationwide, said merchants and consumers could get additional information about the breach at http://www.2008breach.com. If they have further questions, they can call 866-399-6228 or e-mail [email protected], the company said.
The processor suggested that all payment card users nationwide monitor their card statements for unrecognizable transactions that might signal fraud.
Heartland has marketed aggressively to the restaurant industry, in some cases entering into strategic business relationships with state hospitality associations that can include special incentives for members to use Heartland for processing services. The California Restaurant Association and Florida Restaurant & Lodging Association are two of the associations working with Heartland.
Tallahassee-based FR&LA on Wednesday issued a statement urging members to “remain loyal” to “honorable” Heartland, a “strong partner” of nearly 10 years and a “victim of fraudulent activity.”
The processor's relationships with restaurant associations, along with its normal business aggregation strategies, means that as today "approximately 60,000 full-service and quick-service restaurants process with Heartland Payment Systems," company spokesman Maloni confirmed.
Heartland said the crime may be linked to “a widespread global cyber fraud operation” and that it is cooperating with the U.S. Secret Service and Department of Justice.
“We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands,” Robert H.B. Baldwin Jr., Heartland's president and chief financial officer, said in a Jan. 20 statement. "Heartland apologizes for any inconvenience this situation has caused.”
Going forward, Heartland sources said, the company will deploy “a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.” Baldwin said Heartland “is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective.”
The investigation of the data leak was spurred by Visa and MasterCard alerts of suspicious activity surrounding processed card transactions, Heartland said. The processor said that warning prompted it to enlist several forensic auditors, who last week uncovered “malicious software that compromised data that crossed Heartland's network.”
Contact Alan J. Liddle at [email protected].