The number of financial institutions that have said they were affected by the data breach disclosed last month by Heartland Payment Systems Inc. is growing longer by the day and now includes banks in 40 states as well as Canada, Bermuda and Guam, according to the BankInfoSecurity.com news portal.
The Web site today published a list containing the names of 157 institutions that it said have publicly disclosed to customers that they were victimized as a result of the breach at Heartland, a large payment processor in Princeton, N.J. The list includes two banks in Bermuda, plus one each in Canada and Guam.
A Heartland spokesman said today that while he had seen the report on BankInfoSecurity.com, he was unable to verify whether the numbers cited by the Web site were correct.
Meanwhile, in another indication of the fallout from the breach, 83% of the 512 banks that responded to an informal "quick poll" survey conducted in late January by the Independent Community Bankers of America (ICBA) trade group said that credit or debit cards they had issued were compromised in the incident at Heartland. Another 12% said they didn't know yet if they had been affected, while just 4% said they hadn't been, according to the ICBA, which has more than 5,000 member banks from around the U.S.
For the most part, the banks on the list compiled by BankInfoSecurity.com appear to be mostly smaller institutions — although there are a handful of larger ones, such as Sovereign Bank.
Only about 50 of the banks on the list appear to have publicly disclosed the number of their credit and debit cards that were affected by the Heartland breach. A rough tally of the total number of compromised cards announced by those institutions amounted to more than 300,000 cards, with the individual counts ranging from 16 in the case of Valley Bank & Trust Co. in Gering, Neb., to about 75,000 at Trustmark National Bank in Jackson, Miss.
The overall scope of the Heartland breach still remains largely a matter of conjecture. But it is potentially massive: Heartland processes payment card transactions for about 250,000 merchants and handles an average of more than 100 million transactions per month.
The company disclosed Jan. 20 that intruders had broken into its systems sometime last year and planted malware that they used to steal card data. Heartland itself hasn't publicly confirmed any further details about the breach, or specified when the intrusion happened. But some affected financial institutions have said that it occurred in May 2008 and wasn't discovered until earlier this year.
The apparent fact that the intrusion remained undetected for so long, and the number of transactions that Heartland processes, have led some analysts to surmise that the breach might well surpass the one disclosed by The TJX Companies Inc. in January 2007 as the largest thus far involving payment card data.
The Heartland breach already has led to a class-action lawsuit being filed against the company by law firm Chimicles & Tikellis LLP in Haverford, Pa., on behalf of a resident of Woodbury, Minn., and others who might have been affected by the data compromise.
In addition, the Washington Credit Union League in Federal Way, Wash., is pushing state legislators there to revive legislation that would mandate specific data protection controls on all merchants and third parties that process payment card data. The bill received its first hearing before a committee in the Washington House of Representatives soon after the breach disclosure, according to a statement released by the WCUL.
By Jaikumar Vijayan