Heartland Payment Systems, the sixth-largest payments processor in the U.S., announced today that its processing systems were breached

Heartland Payment Systems, the sixth-largest payments processor in the U.S., announced today that its processing systems were breached in 2008, exposing an undetermined number of consumers to potential fraud. While the company continues to assess the damages inflicted by the attack, Robert Baldwin, the company's president and CFO, says law enforcement has already noted that the attack against his company is part of a wider cyber fraud operation.

"The indication that it is tied to wider cyber fraud operation comes directly from conversations with the Department of Justice and the U.S. Secret Service," Baldwin says. The company says it believes the breach has been contained.

Heartland, headquartered in Princeton, NJ, handles approximately 100 million transactions per month, although the number of unique cardholders is much lower. "It is still a question as to the percentage of the data flow they were able to get," Baldwin says, adding he would not speculate on the number of cards potentially exposed. Specifics surrounding when the breach occurred are still being analyzed. But Baldwin says two forensic auditing teams have been working on the breach analysis and investigation since late 2008, after Heartland received the notification from Visa and MasterCard. The investigation began immediately after the credit card companies told Heartland they saw suspicious activity surrounding processed card transactions. Described by Baldwin as "quite a sophisticated attack," he says it has been challenging to discover exactly how it happened. The forensic teams found that hackers "were grabbing numbers with sniffer malware as it went over our processing platform," Baldwin says. "Unfortunately, we are confident that card holder names and numbers were exposed." Data, including card transactions sent over Heartland's internal processing platform, is sent unencrypted, he explains, "As the transaction is being processed, it has to be in unencrypted form to get the authorization request out." No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems. The company delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide Baldwin says the company moved quickly to announce the breach. "It is important to get it out, but leaves us with incomplete information for our customers until the investigation is complete," he says. For more information on the breach, the company has set up a website: www.2008breach.com. Heartland advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers.