Scores of credit unions and banks are notifying customers and issuing new credit cards in the wake of the Heartland Payment Systems Inc. breach.
The Princeton, N.J.-based payment processor announced Jan. 20 that its system was breached last year when intruders installed malware that snatched data crossing the company's network. Heartland hasn't disclosed the number of credit cards affected, but notifications from many financial institutions across the country indicate the potentially massive scale of the breach.
State Employees' Credit Union in North Carolina said more than 60,000 of its members were affected by the Heartland breach. To protect its members, the credit union reissued new credit card numbers and personal identification numbers for members that were possibly compromised.
"We're taking the most costly but the most conservative approach," said Leigh Brady, senior vice president of education services at SECU.
Leanne Phelps, senior vice president of SECU's Card and Record Services department said in a statement released Sunday, "The breach at HPS has probably affected every financial institution in the country; while not all institutions will reissue cards and PINs, SECU feels it can best protect its members with this action."
Industry observers have said the Heartland breach could be larger than the TJX data security breach, in which 45.7 million credit and debit cards were stolen. Heartland serves more than 250,000 businesses and handles more than 4 billion transactions per year.
"Although the exact number of affected cards is not known, it is expected to be many millions," Chuck Cashman, plastic card insurance product executive at CUNA Mutual Group, a Madison, Wis.-based provider of financial services to credit unions, said in a prepared statement last week.
About 4,000 Washington State Employees Credit Union members were affected by the Heartland breach, said spokeswoman Ann Flannigan. The credit union is processing a complete reissue of affected debit and credit cards.
"We go to great lengths to protect our membership and it is standard for us to reissue cards automatically when we get notification of something like this. It's costly -- both in terms of dollars and personnel time -- but it's the right thing to do on our members' behalf and one of those things we think distinguishes WSECU from other institutions," Flannigan wrote in an email. "It's not acceptable for us to wait and see if something happens. We're proactive."
In a notice on its website, Notre Dame Federal Credit Union said it had blocked a few more than 2,000 cards that were reported as compromised in the Heartland breach.
"The decision to block the affected cards was made for the cardholder's protection, as well as for that of the credit union," the organization said. While the credit union said it hasn't discovered any fraud on its members' accounts, it added, "the threat of fraud is very real, and therefore, all exposed cards were blocked, and new cards have been issued for affected members."
The Association of Vermont Credit Unions said the Heartland breach affected 6,000 cards at credit unions on its ATM/debit card program, as well as thousands more at other Vermont credit unions.
The association said its processor, Fifth/Third Processing Solutions, informed it of the breach Jan. 9 as details were unfolding, prompting it to begin working with its credit unions, its processor and MasterCard to deactivate and reissue compromised cards.
Other financial institutions affected by the Heartland intrusion include:
On Tuesday, a Pa.-based law firm filed a class-action lawsuit against Heartland, claiming the company issued belated and inaccurate statements when it announced its systems were hacked.