Credit card processing firm Heartland Payment Systems has uncovered malicious software in its computers that has been diverting information used for credit card cloning.
The company said that it started to get reports last year of increasing levels of card fraud among its customer base.
Heartland called in investigators who found malicious code in its servers which could scan and send on the data stored on the magnetic strip of credit and debit cards.
The company handles up to 100 million credit card transactions a month for over 250,000 US businesses.
"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert Baldwin, Heartland's president and chief financial officer, in a statement.
"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are co-operating closely with the US Secret Service and Department of Justice."
The company has stressed that the code could not record Social Security numbers, unencrypted PINs, addresses or telephone numbers. Nevertheless, the information could be used to create cloned cards.
"Today's systems have 'air gaps' where the data is unencrypted, and there is always the potential for data leakage," Mark Bower, director of information protection solutions at Voltage Security, told vnunet.com.
"There are some techniques to avoid this problem, notably format-preserving encryption. This uses standard algorithms to encrypt data from the get-go."
Bower explained that some merchants are encrypting data only for storage, and then sending decrypted information for processing, which is highly unsafe.
The timing of the announcement, on the same day as the US presidential inauguration, has also been questioned.
"It is certainly interesting timing, but it won't bury the news. The TJ Maxx case resonated for months, and this is much bigger," said Bower.
"It's not the initial breach that's the problem; it's criminals selling that data on which can continue to be a problem for months."
Also, what's a USB stick?
Gravitational waves become extremely weak by the time they reach the Earth and require highly sensitive equipment for detection
The reactor topped out at 100 million° C
Cosmic event will not cause any disruption on Earth, say scientists