A US-based payment processor has suffered an information breach that could have compromised millions of credit-card details.
Heartland Payment Systems, one of the largest US payment processors, announced on Tuesday that it had discovered "malicious software that compromised data" across the company's network in 2008. The company processes credit-card and debit-card information from 250,000 retailers with net sales of $1.3bn (£940m) annually.
"We found evidence of an intrusion last week and immediately notified federal law-enforcement officials as well as the card brands," said Robert Baldwin, Heartland's president and chief financial officer, in a statement.
The company suspects the malware to have been planted as part of a "global cyber-fraud operation", and is co-operating with the US Secret Service and the Department of Justice in an investigation.
The compromise came to light after Visa and MasterCard approached Heartland citing "suspicious activity around processed card transactions", said the statement. Following a forensic investigation, Heartland found the malware.
The company said that while its payment-processing systems had been compromised, no retailer information or cardholder Social Security numbers had been exposed. No unencrypted PINs (personal identification numbers), addresses or telephone numbers were involved in the breach, the company added.
The company said it believed the malware had been "contained", and added that it will implement an intrusion-detection system to "flag network anomalies in real-time".
Heartland had not responded to a request for comment at the time of writing.