Payments processor Heartland Payment Systems Inc. said Tuesday its system used to process more than 100 million Visa, MasterCard, American Express and Discover Card transactions was breached last year.
Robert H.B. Baldwin Jr., president and CFO, said the company found evidence last week of an intrusion and immediately notified federal law enforcement officials as well as Visa and MasterCard.
Baldwin said card numbers and cardholders' names were breached, or one or the other.
Heartland said the breach did not involve merchant data, cardholders' Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers.
Still, Steamboat Springs security consultant Rob Douglas predicted the breach could have a far-reaching impact.
"They are a processor for mostly small and medium restaurants and have 250,000 clients, so there are bound to be impacted Colorado businesses and individuals," Douglas wrote by e-mail.
"This will be one of those stories that is going to grow in the coming days and weeks as more is learned."
Washington Post columnist Brian Krebs noted "the data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards."
Douglas and others questioned whether Heartland was trying to bury the news on a day the media was focused on the presidential inauguration.
Heartland has established a Web site, www.2008breach.com, to provide information about the incident and advised cardholders to examine their monthly statements and report suspicious activity to their card issuers.
The company said it is increasing security in its systems and will establish a program to flag "network anomalies" as they occur and enable law enforcement to make arrests.