HSBC Bank USA, M&T Bank Corp., and more than 530 other banks and credit unions nationwide are re-issuing new credit and debit cards to consumers after a major security breach at a nationwide transaction processor was disclosed last month.
Heartland Payment Systems said last month it had just learned its processing system had been breached in 2008, possibly as part of what its president, Robert H.B. Baldwin, called "a widespread global cyber fraud operation."
The company immediately notified credit card companies and law enforcement, including the U.S. Secret Service and Justice Department, and issued a press release to alert the public.
Officials say they believe the breach has been "contained," and said the only information that may have been exposed were card numbers, expiration dates and other data from cards' magnetic stripes. In some cases, the names of cardholders who used their cards in one of Heartland's merchant clients' stores may also have been revealed.
The breach has affected banks ranging from the nation's largest to some of the smallest, including HSBC, M&T, Citigroup, Bank of America Corp., JP Morgan Chase & Co., Wells Fargo & Co., and Summit Federal Credit Union of Rochester. To be safe, many are sending out new credit and debit cards, with new card numbers.
Meanwhile, the New York State Consumer Protection Board is calling for stronger laws to mandate disclosures to consumers when a computer security breach exposes personal information, noting that the Heartland breach could be one of the largest in history.
The state's top consumer watchdog agency this week called on banks and other companies who know that their customers' data may have been compromised by the cyber-theft at Heartland to immediately notify affected individuals directly and re-issue new credit or debit cards.
The agency also urged those other companies to post information on their Web sites and link directly to a special Web site set up by Heartland to explain what happened: www.2008breach.com.
"A breach of this enormity necessitates action on behalf of consumers who, to date, probably don't even know that their personal and private information may have been affected," said Mindy A. Bockstein, the Consumer Protection Board's chairperson and executive director.
A number of banks have begun re-issuing cards and alerting customers, including HSBC North America. The total number of affected customers is not known. Heartland says it doesn't have the names or addresses of affected cardholders.
The state agency praised the Princeton, N.J.-based transaction processor for being upfront in its Jan. 20 disclosure. But it noted that, under current state law governing disclosures of breaches to consumers, such notification to the public and the state was voluntary.
The nature of the Heartland breach and the lack of consistency in how banks and merchants are notifying their own customers has created confusion among consumers who may not know if they might be affected, Bockstein said. She said banks and merchants who used Heartland should send letters and emails or post notices online to alert customers.
"There is a lack of consistency in the way information is being disclosed to consumers and the way they are being treated varies depending on the credit card issuing entity," said Bockstein.
Heartland is one of the nation's leading providers of credit card, debit card and prepaid card processing services, payroll services, check management and other payment services. It is the sixth-largest credit and debit card processor, processing more than 100 million transactions a month for more than 250,000 restaurants, retailers and other small to mid-sized businesses nationwide.
Following warnings from Visa and Mastercard about suspicious activity involving processed card transactions, the company hired forensic experts to investigate and discovered "malicious software" embedded in its system that "compromised data that crossed Heartland's network," according to a Heartland press release.
The company said no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers were involved. The breach also did not involve the company's check management systems, Canadian, payroll, campus solutions or micropayments operations, or certain other business lines.
Officials reiterated that customers are not responsible for unauthorized card charges made by third-parties if they are "reported in a timely way" to card issuers. The company urged customers to monitor their card and bank statements, and report suspicious activity.