Hundreds of Maine credit and debit card holders appear to have been victims of a nationwide data theft carried out against Heartland Payment Systems, which processes cards for 250,000 restaurants, retailers and other businesses.
Several Maine credit unions have been told by Visa and MasterCard that fraudulent charges were placed on members’ cards between May 16 and Aug. 19, 2008, according to Jon Paradise, spokesman for the Maine Credit Union League. Many of the charges were tallied at Wal-Mart stores in Texas, he said.
“We are not aware of all merchants that utilize Heartland Payment Systems,” Paradise said. “However, based on the number of affected cards, as well as the amount of recent fraud incidents, we are anticipating that this event will have an impact on our credit unions.”
The credit union news comes as financial institutions across Maine are continuing to assess the scope of the nationwide data breach. Some security experts say it may be the largest on record, in terms of the number of transactions. And some Maine banks were preparing to reissue cards that may have been compromised by the breach.
Heartland disclosed Tuesday that intruders had hacked into its computers last year, compromising a system used to process 100 million card transactions a month. The company said card numbers and cardholder names were captured, but not Social Security numbers or personal identification numbers.
Maine’s Attorney General’s Office contacted Heartland on Wednesday to get more information about the impact. How many cardholders are affected and how much money might have been illegally charged remain unknown.
Cardholders are being warned to check their monthly statements, dating to last May, for signs of unauthorized activity. They also should call their banks and credit unions with questions. Consumers aren’t responsible for fraudulent charges that are detected.
Some banks already are making plans to reissue cards, just to be safe. Others are monitoring accounts and waiting to see if further action seems warranted.
Meanwhile, data security experts warned residents to be on guard for attempts by criminals to gain access to personal information in the aftermath of the Heartland case.
Although some banks had gotten word of the problem last week, Heartland didn’t make a public announcement until Tuesday, and the news was eclipsed by the presidential inauguration.
Initial reports indicate that malicious software planted on the payment processing network captured data sent to Heartland by its clients. Heartland said it only learned of the problem last week, after being alerted of suspicious activity by Visa and MasterCard.
Maine financial institutions are responding in different ways.
At PeoplesChoice Credit Union in Saco, the Heartland news settles a three-month mystery.
“We’ve been experiencing losses since October,” said Luke Labbe, president and chief executive officer. “We couldn’t figure out where they were coming from.”
The credit union noticed a pattern in which small charges were being rung up at gas stations in the South, followed by a $500 or so charge at a nearby Wal-Mart.
Labbe since has learned that 500 or so Visa credit and debit cards issued by the credit union may have been compromised by the Heartland data breach, and that 50 or 60 customers actually have fraudulent charges on their cards.
“I suspect we will have others,” Labbe said, noting that the tarnished cards are being reissued.
Kennebunk Savings Bank has 7,000 MasterCard accounts that potentially could have been compromised. The bank decided early Wednesday that it will send new cards to customers, although it hadn’t gotten any reports of misused cards or detected fraudulent charges.
“Usually, we pick up that before customers do,” said Brad Paige, president and chief executive officer at Kennebunk Savings.
The cost to reissue a card is around $10 to each; in this case, about $70,000-$84,000. This cost, Paige stressed, including any fraud associated with the account, is the full responsibility of the bank.
Two of the state’s largest banks said they’re waiting for more information to assess the level of risk to their customers.
TD Banknorth said it had determined that some debit and credit card customers are affected, and is working with Visa and other agencies in the preliminary stages of an investigation. It declined to provide further details, except to say its fraud detection technology hadn’t detected any activity related to Heartland.
“At this time, we don’t have plans to do a mass-reissue of cards for impacted customers, because of the fraud detection tools we have in place,” the bank said in a written statement.
Bangor Savings Bank, which has 70,000 Visa cardholders, said its internal fraud-detection software had so far not detected any problems. For now, the bank isn’t planning to reissue new cards for all customers, relying instead on its monitoring technology to pick up fraudulent activity.
“These data breaches are going to be a fact of life in modern society,” said Yellow Light Breen, the bank’s senior vice president.
This is the third time in the past two years that Maine banks and credit unions have had to deal with a major data theft incident.
They have spent more than $2.1 million investigating problems, informing customers and reissuing new cards after two other breaches, according to a recent report by the state’s Bureau of Financial Institutions.
In January of 2007, the parent company of retailers T.J. Maxx and Marshall’s reported a data breach that cost Maine institutions $500,000. Last February, a breach in the transaction system operated by the Hannaford Bros. supermarket chain cost $1.6 million.
By law, banks and credit unions absorb the cost of responding to these data theft incursions. They are asking the Maine Legislature to force retailers to share the expense of future breaches, a condition retailers oppose.
In the wake of the data breach, security experts are warning consumers to watch for criminals trying to take advantage of any confusion.
“When we see a breach, the next step is phishing scams,” said Sari Greene, founder of Sage Data Security Inc. in South Portland.
Residents may soon notice official-looking e-mails or receive phone calls warning them that their credit cards have been compromised and to provide personal information, so that their funds won’t be cut off. Ignore these messages, she said.
“Banks aren’t going to call and ask for your Social Security or PIN number,” she said. “They already have that information.”
Heartland has created a Web site to update consumers at www.2008breach.com.