Is this the largest security breach ever?

Heartland Payment Systems, which processes payroll and credit card payments for more than 250,000 businesses, reported Tuesday that consumer credit card data was exposed in what may be the largest security breach ever.

In a statement Heartland said the breach occurred last year but that it found evidence of the intrusion last week and immediately notified law enforcement and credit card companies.

Robert HB Baldwin Jr, president and chief financial officer of Heartland, told silicon.com sister site CNET News he did not know how many credit and debit card accounts may have had their information exposed. The company handles 100 million transactions per month but does not know exactly how many unique cards or consumers that translates to, he said.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

"We could do that analysis but we have not done it," Baldwin said. "The question is what percentage of transactions did the malware capture and what percentage got out to the bad guys?"

He also would not say when the malware arrived in its system. "We have suspicions as to when but can't nail that down. We're still working on how" the malware got there, he added. "We believe the intrusion is contained."

"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are co-operating closely with the United States Secret Service and Department of Justice," Baldwin said in the statement.

No merchant data, cardholder Social Security numbers, or unencrypted PINs, addresses, or telephone numbers were exposed, the company said.

Heartland was alerted in the late autumn to suspicious activity surrounding processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, Baldwin said.

The company said it will implement a system to flag anomalies in real-time and created a website to provide information on the breach to customers, who will not be held responsible for fraudulent charges.

Previously, the largest breach was the 45.7 million credit and debit card numbers reported compromised in 2007 by TJX, which owns retailers TJ Maxx and Marshalls. TJX settled a class action lawsuit in that case. Eleven people, from the US, Europe and China, were charged in the case.

Reports of data breaches in the US increased 47 per cent in 2008 from the year before, the not-for-profit Identity Theft Resource Center reported in a study released two weeks ago. About 14 per cent of the breaches were due to hacking, the report said.

Original article: Payment processor Heartland reports breach from CNET News.com