Major payroll processor loses data in physical breach
Heartland Payment Systems, a major payroll processing company, is notifying customers their information may be exposed after computers were stolen from the company’s offices in Santa Ana, Calif.
Heartland works with over 250,000 companies nationwide, making it one of the largest payment processors in the United States.
{mosads}“Many items, including password protected computers belonging to Heartland were stolen,” the company said in a letter sent to roughly 2,200 individuals on Monday, describing the May 8 theft.
“One of these computers may have stored your Social Security number and/or bank account information processed for your employer,” it continued.
Social Security numbers and banking details are considered to be among the most valuable data for digital crooks. The info can be used to withdraw funds or open up new accounts in the person’s name.
“It will then be up to the user to show that their identity has been compromised,” said Stewart Draper, director of insider threat at security firm Securonix, in a statement. “That can be a very difficult process for a majority of those that are impacted.”
The data can also be sold for considerable money on the dark Web.
With a breach of credit card data, it’s easy to issue a new card and quickly reimburse any fraudulent charges.
The theft has also led to allegations from the security community that Heartland wasn’t properly encrypting its data.
In a Monday release, Heartland responded that it “has already encrypted most computers, and as we integrate acquisitions, Heartland is actively working to encrypt any remaining computers in every office that may have access to, or house, [personally identifiable information] or payment data.”
The payroll processor added that it doesn’t believe information on the pilfered computers has been used to drive identity theft.
“We have seen no evidence suggesting that the data has been accessed on the stolen computers or used in any way, and we have no reason to believe any such use will occur,” the company said in its letter to possible victims.
The incident comes months after Heartland issued a breach warranty to its customers, promising to reimburse merchants for all costs related to a data breach involving Heartland’s credit card payment processing system.
It’s not clear whether the warranty would apply to this situation, as the breach arose from a physical theft, not a flaw in the payment processing system.
Heartland was the victim of one of the country’s first mega-breaches. In 2008, its systems were hacked, exposing the payment data of 130 million people.
As has become commonplace following a breach, Heartland will provide free credit monitoring to victims of the breach.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..