Heartland Discloses Theft that Could Include Unencrypted PII

June 1, 2015

Heartland Discloses Theft that Could Include Unencrypted PII New Jersey-based payment processor Heartland Payment Systems has disclosed a theft that includes computers containing personally identifiable information by way of the payrolls the company processes for employers. Heartland posted a notice on the California Attorney General’s Website notifying the public that its Santa Ana, Calif. office was broken into on May 8 by thieves who removed “many items, including password protected computers belonging to Heartland. One of these computers may have stored your Social Security number and/or bank account information processed for your employer.”

In 2008, Heartland was the victim of one of the largest network breaches ever, when the credit-card accounts of 130 million consumers were compromised. Some experts in published reports have seized on the wording of the statement to speculate that the computers that were stolen were “password protected” but not encrypted. It is not yet clear if that is the case. In its statement, Heartland was optimistic, but did not disclose if the information contained in the stolen computers is encrypted.

“We have seen no evidence suggesting that the data has been accessed on the stolen computers or used in any way, and we have no reason to believe any such use will occur,” the statement said. We have involved state and federal regulatory and law enforcement agencies to assist us in determining how to proceed with the matter at hand. Heartland continues to monitor the situation carefully and has increased its internal security and review procedures to watch for any unusual activity.”