Heartland Payment Systems, a payment processing provider based in Princeton, N.J., has disclosed that the security of its network has been compromised by unknown attackers. During a recent audit malicious applications intercepting and stealing transaction data have been found installed on the company's systems.

The company is considered to be the sixth-largest payment processor in the U.S., and handles an estimated 100 million transactions every month. The provider is processing payments for over 250,000 mostly small and mid-size businesses and merchants across the country.

Heartland officials have explained in a press release that the security breach was discovered during an internal investigation ordered by the company after being notified by Visa and MasterCard about fraudulent activity on some of the processed cards. The company notes that it contracted several forensic auditors to lead the investigation in late 2008.

“We found evidence of an intrusion last week, and immediately notified federal law enforcement officials as well as the card brands,” Robert H.B. Baldwin, Jr., Heartland's president, commented. He also noted that the information they received from the United States Secret Service and the Department of Justice pointed to this attack, which he described as being “quite sophisticated,” and actually part of a larger “widespread global cyber fraud operation.”

The company is still analyzing the impact of the incident, but can confirm that credit card numbers and card holder names have been compromised. However, the evidence so far clearly indicates that neither merchant data, PINs, or personal identifiable information, such as Social Security numbers, addresses or telephone numbers, have been affected by the security breach, and nor was the company's check management systems.

Mr. Baldwin apologized for this situation on behalf of the company. “Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective,” he added.  In this respect, the company has announced plans to implement a “next-generation program,” which is designed to improve the detection of suspicious network activity.

Heartland has also set up a website in order to keep its customers informed about the development of this incident, and provide affected cardholders with instructions on how to discover and report suspicious activity on their monthly statements.

Some financial fraud analysts questioned the timing chosen by the company to go public with this incident. They argued that doing it on the inauguration day significantly reduced the level of exposure. “We considered holding back another day, but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility,” Mr. Baldwin explained for Security Fix.

At the end of December 2008, we reported that RBS WorldPay, another U.S.-based payment processing provider, announced that unauthorized and unknown parties had obtained access to its computer systems. The RBS WorldPay security breach affected an estimated 1.5 million card holders.