Heartland Data Breach: Institutions Still Feel the Sting

Tampa Credit Union is Latest Victim; Notifies 56,000 Members of Potential Compromise
Heartland Data Breach: Institutions Still Feel the Sting
A Tampa, FL-based credit union has notified 56,000 members that their Visa check cards were exposed to fraud as a result of the Heartland Payment Systems (HPY) data breach announced back in January.

Suncoast Schools Federal Credit Union discovered only at the end of May that some of its customers could be in danger from the payments processor breach in which customer account data from millions of credit and debit card transactions was exposed. The credit union is issuing new cards to all members whose accounts were compromised. Fewer than 1,000 members were actually affected by fraud as of last week, according to Melva McKay-Bass, senior vice president of member service operations for Suncoast.

Suncoast Schools FCU, with 450,000 members, has 50 locations in central Florida and reported nearly $5.9 billion in assets in 2008.

The credit union began notifying members via mail in the first week of June, says McKay-Bass. "It was not a Suncoast exclusive event, nor was it through any fault of our own," McKay-Bass told the St. Petersburg Times. "It was not anything that we had done wrong."

McKay-Bass says the Heartland breach only resulted in encrypted card data being compromised -- not members' personal information.

Heartland found malicious software on its system in January 2009 after an exhaustive investigation which began in Fall 2008. After receiving reports from card brands about anomalies, Heartland immediately began a comprehensive forensic investigation. Initial findings suggested that Heartland's system was not the source of anomalies, states Heartland's spokesperson. Later, in January, Heartland's forensic team located the malware.

Data, including card transactions sent over Heartland's internal processing platform, was sent unencrypted. No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems. The company delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide.

Suncoast is among more than 665 institutions that have reported having cards affected because of Heartland. More institutions may find themselves in a similar situation, notes Gartner Research distinguished analyst Avivah Litan.

"The fraudsters have long staying power - they typically steal millions or hundreds of thousands of cards at a time and wait sometimes up to a year or more to use them all," Litan says. "So we may be living with the fallout from the Heartland breach for a year or more to come."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.