Approved Advisor

(Wall Street Journal) A recently discovered data breach at a New Jersey credit-card processor could rank among the biggest ever reported.

Heartland Payment Systems Inc. disclosed Tuesday that cyber criminals compromised its internal computer network, gaining access to customer information associated with the 100 million card transactions it handles each month.

The company said it couldn’t estimate how many customer records may have been improperly accessed but that the compromised data includes credit card numbers, card expiration dates and some internal bank codes. Heartland, which is based in Princeton, N.J., processes transactions for more than 250,000 businesses nationwide.

Avivah Litan, an analyst at research company Gartner, estimated that as many as 100 million consumers could have had their credit-card data stolen, based on her conversations with industry executives. Previously, the largest known breach occurred when around 45 million credit- and debit-card numbers were stolen from retail company TJX Companies Inc.

“I would call this the largest breach ever,” Ms. Litan said.

But Robert Baldwin, Heartland’s president and chief financial officer, called her estimate a “totally fictional number.” The company added that, since it’s too early to say how many records were accessed, calling it the largest-ever breach would be “speculative.”

Software ‘Light-Years More Sophisticated’

Representatives from Visa Inc. and MasterCard Inc. alerted Heartland to a pattern of fraudulent transactions on accounts that the processor handled some time in the fall, Mr. Baldwin said. But an internal investigation and subsequent audits failed to detect a security breach.

Last week, however, a forensic investigator discovered evidence of the breach. Mr. Baldwin said that the criminal targeted Heartland with a piece of malicious software that was “light-years more sophisticated” than the viruses commonly downloaded off the Internet. He declined to say if the software was on the company’s network before the fall or how many records were accessed, adding “in all likelihood we will never know.”

The retail and payment-card industries have spent around $2 billion in recent years to improve data security, Ms. Litan said. In December, another payment processor, RBS WorldPay, a division of Royal Bank of Scotland Group, announced that its systems were breached. That criminals could break into a payment processor shows that “much more radical steps are needed” to protect payment information, she said.

Unauthorized Data Access on the Rise

More than forty states now have laws that require businesses to disclose when sensitive information may have been accessed by an unauthorized party. In 2008, 656 such incidents were publicly reported, according to the Identity Theft Resource Center, a non-profit organization dedicated to helping victims of identity theft. That’s up from 446 in 2007.

Heartland said it has isolated the affected computers and removed the malware. It hasn’t made any new investments in security technology yet, but “everything is on the table” Mr. Baldwin said.

The company is working with the U.S. Secret Service to investigate the incident, Mr. Baldwin said. It has been “working feverishly to assemble all the evidence we could” about the extent of the breach and who caused it, he said.