The first arrests have been made in connection with the recently disclosed breach at US firm Heartland Payment Systems, which analysts said affected over 100 million people.
The Leon County, Florida Sheriff's office earlier has announced the arrests of three area residents -- Tony Acreus, Jeremy Frazier and Timothy Johns -- for allegedly using stolen credit card numbers associated with the breach.
The arrests followed a three-month investigation of a major stolen credit card ring by the sheriff's office, the Tallahassee Police Department and the US Secret Service. BankInfoSecurity.com first reported the arrests, and said that the number of financial institutions affected by the breach now stands at more than 220.
A statement from the Leon County Sheriff's office said the three men were arrested after being caught using stolen credit card numbers to make fraudulent purchases at local Wal-Mart stores. The three apparently used card information stolen from Heartland to "electronically encode VISA Gift Cards" which they would then use to purchase goods from retailers, the statement said. The goods were then sold for cash.
The combined amount of actual and attempted fraudulent transactions by the three exceeded $100,000, the sheriff's office said, adding that the investigation is ongoing and could result in additional charges and arrests.
Heartland is a US-based firm that processes payment card transactions for more than 250,000 merchants. On 20 Jan, it disclosed that unknown intruders had broken into its networks last year and stolen payment card transaction data. Although Heartland didn't disclose the number of card accounts that were compromised, outside estimates from analysts and people within the payment industry pegged the number at more than 100 million.
That would make it by far the biggest payment card breach to date, surpassing the 45.6 million card numbers TJX Companies Inc. said were stolen in a breach disclosed in January 2007.
The list of financial institutions affected by the Heartland breach now includes those in more than 40 US states as well as banks in Bermuda, Canada and Guam, according to BankInfoSecurity.com.
The Heartland breach already has led to a class-action lawsuit against the company by law firm Chimicles & Tikellis LLP in Haverford, Pa. on behalf of a resident of Woodbury, Minn. and others who might have been affected by the data compromise.
In addition, the Washington Credit Union League in Federal Way, Wash., is pushing state legislators there to revive legislation that would mandate specific data protection controls on all merchants and third parties that process payment card data. The bill received its first hearing before a committee in the Washington House of Representatives soon after the breach disclosure, according to a statement by the WCUL.