This incident has 0 proposed changes.
Know of details that have changed? Submit them
Showing Incident 1518 
SUMMARY
| Malicious Software/Hack compromises unknown number of credit cards at fifth largest credit card processor | |
| Records | 130,000,000 |
|---|---|
| Record Types | CCN |
| Breach Type | Hack |
| Data Family | Electronic |
| Source | Outside |
| Organization | Heartland Payment Systems |
| Other Affected/Involved Organizations | Tower Federal Credit Union, Beverly National Bank |
| Lawsuit? | YES |
| Data Recovered? | NO/UNKNOWN |
| Arrest? | YES |
| Submitted By: | michaelcordes |
STOCK PRICE
SIMILAR INCIDENTS
| records | date | organizations |
|---|---|---|
| 94,000,000 | 2007-01-17 | TJX Companies Inc. |
| 90,000,000 | 1984-06-01 | TRW, Sears Roebuck |
| 77,000,000 | 2011-04-26 | Sony Corporation |
TIMELINE
| Date | Event |
|---|---|
| 2008-05-15 | Incident Occurred |
| 2009-01-12 | Incident Discovered By Organization |
| 2009-01-20 | Organization Reports Incident |
| None. Add Data | Organization Mails Notifications |
| None. Add Data | Records Recovered |
| 2009-01-27 | Lawsuit Filed |
| 2009-08-16 | Arrest Made |
MAP OF INCIDENT LOCATION
Address: 90 Nassau St, Princeton, NJ 08542, USA
Have a better address for this incident? Suggest it!
REFERENCES
suggest a new attachment
ATTACHMENTS
KNOWN COURT CASES
IN PROGRESS
CONSUMER - In Re: Heartland Payment Systems Inc. Customer Data Security Breach Litigation |
Filed On | Justia Link | Pacer Link | Court | Federal? | Case Number | Pacer Case Number | Incident | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009-06-10 | Pacer Docket | N/A | SOUTHERN DISTRICT OF TEXAS | true | 4:09-MD-2046-CONSUMER | 4 | 1518 | |||||||||||||||||
| Case Files | ||||||||||||||||||||||||
| Awards / Settlements |
|
|||||||||||||||||||||||
| OSF Summary |
This is the 'consumer track' of the consolidated lawsuits against Heartland Payment Systems, Inc. |
|||||||||||||||||||||||
IN PROGRESS
FINANCIAL INSTITUTIONS - In Re: Heartland Payment Systems Inc. Customer Data Security Breach Litigation |
Filed On | Justia Link | Pacer Link | Court | Federal? | Case Number | Pacer Case Number | Incident | |||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2009-06-10 | Pacer Docket | N/A | SOUTHERN DISTRICT OF TEXAS | true | 4:09-MD-2046-FINANCIAL | 4 | 1518 | ||||||||
| Case Files |
None |
||||||||||||||
| Awards / Settlements |
|
||||||||||||||
| OSF Summary |
"Financial Institutions Track" of consolidated litigation against Heartland Payment Systems. |
||||||||||||||
KNOWN NON-COURT COSTS
| Name | Date | Reference | Monetary Value | Description |
|---|---|---|---|---|
| Heartland Settlement with American Express | 2009-12-17 | reference | $3,538,380.00 | To resolve all potential claims and other disputes between Amex and HPS with respect to the HPS breach. |
| Heartland Settlement with VISA | 2010-01-07 | reference | $60,000,000.00 | To resolve all potential claims and other disputes between VISA and HPS with respect to the HPS breach. |
| TOTAL COST | $63,538,380.00 | |||
COSTS SUMMARY
Known Actual Costs
|
Estimated Costs
|
||||||||
|
|||||||||
PRIMARY SOURCES
Primary Source ID: 1327
| add details to this primary source Description | |||
|---|---|---|---|
|
Heartland breach notification sent to Maryland
|
|||
| Filename | Source | Researcher | Incident IDs |
| ITU-164794.pdf | Maryland Attorney General | kirniki | <a href='/incidents/show/1518'>1518</a> |
| Records | File Date | Uploaded | Updated |
| Not yet entered | 2009-01-30 | 2009-02-04 | 04 Feb 12:28 |
| Excerpt | |||
pr Q _ ._ Q _, 1 2,. 1 p up . . p p »V_. . _. I .The Highest Stundurds lTheM0st`.Ti·tisted'Irdhsdrtidnsri r ·`·· L'} lm. `_ _ lp ‘ ‘ , ‘’`’ 'Y __ i _ W » ; Charles... |
|||
Primary Source ID: 1353
| add details to this primary source Description | |||
|---|---|---|---|
|
Credit card information accessed by a hacker using malicious software
|
|||
| Filename | Source | Researcher | Incident IDs |
| heartland.pdf | New Hampshire Consumer Protection & Antitrust Bureau | kirniki | <a href='/incidents/show/1518'>1518</a> |
| Records | File Date | Uploaded | Updated |
| Not yet entered | 2009-01-30 | 2009-02-17 | 24 Feb 11:27 |
| Excerpt | |||
*3%* Hdmfmmé d _ ,,_W ·~W~·V·‘·‘‘`V‘V``4 '`W;·`4WW {hn Hignesz Standards ;?hc· MostYma1a:H`mns¤c¥;¤¤s · Vv`____ _,_._...···——···°·‘`"‘"'```V'v`v`w`vvvv Shades Kalisznbach Genera! Ccwnzsad and C... |
|||
Primary Source ID: 1492
| add details to this primary source Description | |||
|---|---|---|---|
|
Maryland data breach notification : Hacked credit card processor provides hacker with Credit Card information
|
|||
| Filename | Source | Researcher | Incident IDs |
| ITU-166426.pdf | Maryland Attorney General | kirniki | <a href='/incidents/show/1518'>1518</a> |
| Records | File Date | Uploaded | Updated |
| 1 | 2009-02-09 | 2009-03-27 | 25 Jun 21:42 |
| Excerpt | |||
110 ~**—¤‘·ER,¢£\ {_ ‘ 1 _ _ ‘ 'Q \_ . V 1 .·’ \ `~. will FEB V l V · I - · " B BE: r V 1 1, z ,· BEVERLY NATIONA BANK `= ——;EARN1N<; Youn TRUST _S1NcE 1802— 1 , ,,/ Beverly: Downtown •... |
|||
Primary Source ID: 1822
| add details to this primary source Description | |||
|---|---|---|---|
|
North Carolina Data Breach Notification outlining Heartland Payment Systems breach that included credit card information.
|
|||
| Filename | Source | Researcher | Incident IDs |
| 20090130_Heartland.pdf | North Carolina Department of Justice, Consumer Protection Division | d2d | <a href='/incidents/show/1518'>1518</a> |
| Records | File Date | Uploaded | Updated |
| 0 | 2009-01-30 | 2009-06-13 | 17 Jul 08:45 |
| Excerpt | |||
Heartland , a$a ifggig a wr ra =¤ T r Q va ’¤" im llizhest Wtqqmrratr *`··= ‘r"st“Zwstarl `irnnwctlrrn: 0 V _ V ·# Charles Kallenbach lEi@f`lOl`Z5l Counsel and — Chia? Legal Officar January 30... |
|||
Primary Source ID: 2391
| add details to this primary source Description | |||
|---|---|---|---|
|
Maine breach notification: Tower Federal Credit Union - report about credit card information of their customers stolen through Heartland breach. Number of affected not disclosed here.
|
|||
| Filename | Source | Researcher | Incident IDs |
| 20090504_tower_federal_credit_union_ME.pdf | Maine Attorney General | d2d | <a href='/incidents/show/1518'>1518</a> |
| Records | File Date | Uploaded | Updated |
| Not yet entered | 2009-04-28 | 2009-12-06 | 08 Jun 06:18 |
| Excerpt | |||
TIT Tower Federal i I Credit Union Cynthia C. Scott Vice President · Marketing April 28, 2009 I HCI ‘ . Office ofthe Maine Attorney Ge al mgm bgiggmfgéwm BMSION Consumer Protection Division I E 6 St... |
|||
Primary Source ID: 2756
| add details to this primary source Description | |||
|---|---|---|---|
|
Massachusetts breach notification: Beverly National Bank - reporting that the Heartland breach affected 269 of their MA customers credit cards.
|
|||
| Filename | Source | Researcher | Incident IDs |
| 20090128-beverly-national-bank-MA.pdf | Massachusetts Attorney General | d2d | <a href='/incidents/show/1518'>1518</a> |
| Records | File Date | Uploaded | Updated |
| 269 | 2009-01-28 | 2010-04-27 | 08 Jun 06:23 |
| Excerpt | |||
~ ·‘’ »\_ p A ’ . 2 i» v · _\ ._ y i v_ 7 .a~ ; BEVERLY NATIONAL BANK l """*—EARN!NG YOUR Tnusr smc; 1502--- ; 4~¤‘ { Beverly: Downtown • North Beverly • Cummings Center ‘ `"`N Danver... |
|||
Primary Source ID: 2608
| add details to this primary source Description | |||
|---|---|---|---|
|
Massachusetts breach notification: Department of Revenue and J.P. Morgan Chase - 2,933 Child Support VISA cards exposed by the Heartland breach.
|
|||
| Filename | Source | Researcher | Incident IDs |
| 20090320-dept-of-revenue-MA.pdf | Massachusetts Attorney General | d2d | <a href='/incidents/show/1518'>1518</a> |
| Records | File Date | Uploaded | Updated |
| 2933 | 2009-03-20 | 2010-04-27 | 12 Aug 23:49 |
| Excerpt | |||
Q P THe Commonwealth of 9l/lassachusetts ( Egg; Qepartment of Revenue O1 RCE Qfifié Commzsstoner " Q-? O. Qoag 9550 NAVJEET K. BAL - - COMMISSIONER g (Boston, Wl}! 02114 9550 I March 20, 2009 Attomey... |
|||
Primary Source ID: 2611
| add details to this primary source Description | |||
|---|---|---|---|
|
Massachusetts breach notification: North Middlesex Savings Bank - notified by Visa of credit card fraud at merchant brick and mortar POS systems for about a month. Roughly 2,500 MA residents cards were active and exposed. This appears to be part of the Heartland Payment Systems breach.
|
|||
| Filename | Source | Researcher | Incident IDs |
| 20090302-north-middlesex-savings-bank-MA.pdf | Massachusetts Attorney General | d2d | <a href='/incidents/show/1518'>1518</a> |
| Records | File Date | Uploaded | Updated |
| 2500 | 2009-03-02 | 2010-04-27 | 08 Jan 19:55 |
| Excerpt | |||
N SAV/NGS BANK . . ` ° “ ~·· » e _ Bcmkmg at its personal best. A “"‘· ’:§·=* J March 2, 2009 A r Attomey General Martha Coakley Office ofthe Attorney General One Ashburton Place Boston, MA 021... |
|||
Videos
COMMENTS
by d2d [Data Loss Maven] on 2009-01-20 (over 3 years ago)
Washington Post is saying 100,000,000 cards, see the washington post reference.
by Anonymous on 2009-01-20 (over 3 years ago)
This breach is most likely WELL over 100mill. Heartland does 100mill or more PER MONTH. I would estimate 5-700 mill.
by Anonymous on 2009-01-21 (over 3 years ago)
The PSP in this case is of course PCI compliant? Not!
If they were Tripwire (or similiar) and malware should have been installed as standard and would have potentially protected against this.......
by Anonymous on 2009-01-22 (over 3 years ago)
Actually, they were PCI compliant as of April 2008.
by jericho [Senior Investigator] on 2009-01-23 (over 3 years ago)
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf
Service Provider: Heartland Payment Systems
Validation Date: April 30, 2008
Services Covered by Review: Payment Processing
Assessor: Trustwave
by Anonymous on 2009-01-23 (over 3 years ago)
"No confidential merchant data, Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were retrieved in what is believed to be a global cyber-fraud operation. Heartland does not yet know how many card numbers were obtained."
http://www.snl.com/irweblinkx/file.aspx?IID=4094417&FID=7249269
by jericho [Senior Investigator] on 2009-01-24 (over 3 years ago)
An OSF staff member mailed the PCI-DSS contact for Trustwave asking for public comment.
by d2d [Data Loss Maven] on 2009-01-24 (over 3 years ago)
Suspect supposedly pinpointed per http://www.storefrontbacktalk.com/securityfraud/feds-identify-overseas-suspect-in-heartland-case/
by d2d [Data Loss Maven] on 2009-01-28 (over 3 years ago)
by Anonymous on 2009-01-30 (over 3 years ago)
I received a new discover card this week. The account number did not change, but the expiration and validation code on the back changed. When I called Discover to activate the card I ask why the change and he acknowledge it was due to the Heartland compromise.
by Anonymous on 2009-05-11 (about 3 years ago)
I've been watching this one since it happened in January. I just now (May 11th) got notified by Suntrust that my card may have been compromised in this breach. 4 months to notify me? They've got to be kidding.
by Anonymous on 2010-01-11 (over 2 years ago)
In a recent update Heartland Payment Systems announced today (January 8, 2010) that it will pay Visa-branded credit and debit card issuers up to $60 million to cover losses incurred from the Heartland data breach.
http://www.bankinfosecurity.com/articles.php?art_id=2054&rf=010910eb
Breach Types:
- Disposal Computer | Disposal Document | Disposal Tape | Disposal Drive
- Disposal Mobile | Email | Fax | Fraud Se
- Hack | Lost Computer | Lost Document | Lost Drive
- Lost Laptop | Lost Media | Lost Mobile | Lost Tape
- Missing Document | Missing Laptop | Missing Media | Snail Mail
- Stolen Computer | Stolen Document | Stolen Drive | Stolen Laptop
- Stolen Media | Stolen Mobile | Stolen Tape | Unknown
- Virus | Web |
