Heartland security breach could affect VIN, veterinary practices

Theft might be largest on record

January 21, 2009 (published)
By Jennifer Fiala

A massive security breach was revealed yesterday by New Jersey-based Heartland Payment Systems, which serves the payment processing needs of more than 250,000 businesses including an undisclosed number of veterinary practices and the Veterinary Information Network (VIN).

At press time, it was unknown whether VIN accounts were affected, although various news reports claim that the breach involved retail sales transactions, not online processes like those used to manage membership payments.

Repeated phone calls to Heartland communications staff and corporate offices were not returned. In a news release, company officials explain that the security breach may have involved more than 100 million credit and debit card accounts, making it one of the largest data thefts on record.

“We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands, says Robert H.B. Baldwin, Jr., Heartland’s chief financial officer and president in a prepared statement. “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and the Department of Justice.”

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers were involved in the breach, the news release adds.

The company, the news release states, was alerted by Visa and MasterCard in late 2008, of “suspicious activity” related to transactions at merchants that contracted with Heartland to process payments. The company hired forensic auditors to investigate. Last week they discovered that “malicious software” had compromised data that crossed Heartland’s network.

The stolen data includes credit and debit account numbers, expiration dates and names, but just how much information the software grabbed remains a mystery to date, reports a Washington Post article filed today.
The evidence, at least what’s released, points to an inside job, surmises Russell McGinnis, VIN development supervisor. He explains that VIN contracts with Heartland to process members’ payments, which has nothing to do with the retail sector.

VIN Founder Dr. Paul Pion concurs: “From everything we’ve seen and heard so far, I don't think this will affect VIN members. But it’s too early to know for certain. It looks like somebody inside Heartland installed a piece of software on their servers intended to relay information to someone, somewhere."

It's frustrating, Pion adds, considering VIN has spent more than $100,000 on hardware and software and countless hours securing member credit card data in compliance with standards set by industry giants in credit card processing.

"To then hear that a lapse downstream from us by those we assume are doing much more than we ever could has potentially placed our colleagues at risk is disheartening," he says. "Given the sheer magnitude of this situation and the statements that it is less likely to affect online transactions, I do believe that VIN members have little to worry about.

But it does underscore the reality that the biggest risk for all who handle credit cards lies within their organization, not outside. This is true for Heartland, VIN and VIN members. We trust all VIN employees but still have put in place processes that ensure that only one or two very high level and trusted employees have access to enough information to access VIN member credit card information."

Pion advises VIN members to similarly protect their clients by storing client credit cards in a secure manner in their practices and putting in place systems that limit the potential for front-office staff to misuse their clients' credit card information.

"I hate the thought that this is necessary," he says, "but the reality is that this remains the most vulnerable link in the chain."

VIN News Service commentaries are opinion pieces presenting insights, personal experiences and/or perspectives on topical issues by members of the veterinary community. To submit a commentary for consideration, email news@vin.com.

Information and opinions expressed in letters to the editor are those of the author and are independent of the VIN News Service. Letters may be edited for style. We do not verify their content for accuracy.