Heartland's New BreachPayroll Center's Stolen Computers Housed PII
A new breach reported by Heartland Payment Systems, the same company that in 2008 suffered a payments hack that exposed 130 million U.S. credit and debit cards, hasn't received much attention. But this latest breach could potentially be far more damaging individually to the undisclosed number of consumers affected, one fraud expert tells me.
Here's why: This new incident involves payroll information, including bank account details, that was stored and processed by Heartland, according to a statement from Heartland posted on the California Attorney General's website.
It won't get the attention the breach of their credit card service got, but it's probably more serious.
According to this alert, Heartland on May 8 reported this breach, which was the result of physical theft. "An incident occurred at our office in Santa Ana, California," Heartland reported. "Many items, including password protected computers belonging to Heartland were stolen. One of these computers may have stored ... Social Security number and/or bank account information processed for [customers'] employer."
Fraud expert Avivah Litan, an analyst with the consultancy Gartner, says a breach of personally identifiable information associated with payroll processing poses much greater risks for consumers than a breach of card data. Yet, these types of incidents don't garner as many headlines as those exposing credit cards.
"It won't get the attention the breach of their credit card service got, but it's probably more serious," she says. "Just like the stuff that happened at the IRS, when 100,000 taxpayers had their accounts breached. For years, no one has reacted or paid attention to the breach of payroll data or taxpayer information, even though the loss of this kind of information is so much more serious to a consumer than credit cards. With credit cards, we are all protected, and the cards can be reissued."
With the theft of PII associated with payroll and taxes, identity theft, new account fraud and bank account takeover are all real possibilities. Plus, Litan notes, "There's no network to look for the suspicious use of PII or bank account numbers that have been breached in an attack like this. There's no network there, like MasterCard or Visa, to review things like they do for suspicious card activity.
"If someone starts taking money out of my bank account, there is nothing you can do about it, unless I can prove that someone has stolen my identity," Litan says.
"Under state data security laws ... mobile devices [such as laptops] must be encrypted, if they contain PII," Pierson says. "However, based on the letter to affected individuals, it is impossible to tell if desktops and/or laptops were stolen. If laptops were stolen, it is best practice and may be legally required for the devices to be encrypted."
Otherwise, the data on a desktop computer could be wide open.
Heartland, which provides a turnkey payroll service, is providing free credit monitoring to all payroll employees who may have been affected.
And in an emailed statement sent to Information Security Media Group, Heartland spokesman Kevin Petschow answers a few additional questions, but does not specify how many computers were stolen, and whether the devices stolen were desktops or mobile.
"This incident only affects a limited number of our payroll solutions' customers and not our payment processing solutions," Petschow says. "We are working with local law enforcement agencies to address this matter. Their investigation is ongoing."
He goes on to say that thieves broke into Heartland Payroll Solutions' payroll facility in California and stole the computers. "There have been no known reports of identity theft related to this incident," he adds.
In its notice, Heartland also states: "We have seen no evidence suggesting that the data has been accessed on the stolen computers or used in any way, and we have no reason to believe any such use will occur. We have involved state and federal regulatory and law enforcement agencies to assist us in determining how to proceed with the matter at hand. Heartland continues to monitor the situation carefully and has increased its internal security and review procedures to watch for any unusual activity."
The good news about this breach is that the computers may not have been targeted because they housed Social Security numbers and bank account details. They may have just been stolen as part of a low-tech crime aimed at stealing hardware for resale.
But because we don't know the intent of the thieves, we can't be certain.
Banking institutions need to be mindful of how stolen payroll data, including bank account information, could be used to commit fraud or take over a customer's bank account. "Banks have to put mechanisms into their systems, like the credit cards have, so that when data like this is stolen, they can detect behaviors within the account or activities that might be abnormal," Litan says.
Of course, consumers also need to play more active roles, by monitoring their accounts and signing up for alerts, to let them know when unauthorized transactions have been conducted or account information has been changed without their consent.