Network News

X My Profile
View More Activity

Payment Processor Breach May Be Largest Ever

A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have compromised tens of millions of credit and debit card transactions, the company said today.

If accurate, such figures may make the Heartland incident one of the largest data breaches ever reported.

Robert Baldwin, Heartland's president and chief financial officer, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments.

Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country. He declined to name any well-known establishments or retail clients that may have been affected by the breach.

Baldwin said it would be unfair to mention any one of his company's customers.

"No merchant of ours represents even [one-tenth of one percent] of our volume, and to put out any name associated with what is obviously an unfortunate incident is not fair," he said. "Their customers might end up having their cards used fraudulently, but that fraud might turn out to have come from their store, or it might be from another Heartland store and no one will ever really know."

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn't until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.

Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.

"The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we don't know the magnitude of what was grabbed."

The company stressed that no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were jeopardized as a result of the breach.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said. As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants "is not impossible, but much less likely."

In many cases where a processor experiences a breach, the affected banks may simply re-issue new cards to some customers. In other cases, consumers may spot the first signs of fraudulent activity by reviewing their bank statements. It is unclear whether consumers who receive new account numbers from their bank will ever be able to definitively tie the re-issuance to the Heartland breach.

Baldwin said it was not appropriate for Heartland to offer affected consumers credit protection or other identity theft protection services.

"Identity theft protection is appropriate when there is enough personal information lost that identity theft is possible," he said. "In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible. At the same time, we recognize and feel badly about the inconvenience this is going to cause consumers."

Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing of Heartland's disclosure -- a day in which many Americans and news outlets are glued to coverage of Barack Obama's inauguration as the nation's 44th president.

"This looks like the biggest breach ever disclosed, and they're doing it on inauguration day?" Litan said. "I can't believe they waited until today to disclose. That seems very deceptive."

Officials from the U.S. Secret Service could not be immediately reached for comment.

Baldwin said Heartland worked to disclose the breach last week.

"Due to legal reviews, discussions with some of the players involved, we couldn't get it together and signed off on until today," Baldwin said. "We considered holding back another day, but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility."

The Heartland disclosure follows a year of similar breach disclosures at several major U.S. cards processors. On December 23, RBS Worldpay, a subsidiary of Citizens Financial Group Inc., said a breach of its payment systems may have affected more than 1.5 million people.

In March 2008, Hannaford Brothers Co. disclosed that a breach of its payment systems -- also aided by malicious software -- compromised at least 4.2 million credit and debit card accounts.

In early 2007, TJX Companies Inc., the parent of retailers Marshalls and TJ Maxx said a number of breaches over a three-year period exposed more than 45 million credit and debit card numbers.

In 2005, a breach at payment card processor CardSystems Solutions jeopardized roughly 40 million credit and debit card accounts.

Update, 5:07 p.m. ET: Changed "accounts" in first paragraph to "transactions." Also added information from Heartland chief executive about the timing of the breach and the hiring of outside consultants.

By Brian Krebs  |  January 20, 2009; 1:30 PM ET
Categories:  Fraud , Latest Warnings , Safety Tips , Web Fraud 2.0  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Move Over, Client #9
Next: Apple's First 2009 Patch Batch Fixes 7 QuickTime Flaws

Comments

Of concern to me is that as the digital frontier expands that we insist that digital security also keep pace to guard our assets, identities, and our civil liberties.

Posted by: ThomasWhitney | January 20, 2009 2:07 PM | Report abuse

They shouldn't be entirely clueless- where was the malicious software sending the data?

Posted by: hairguy01 | January 20, 2009 2:26 PM | Report abuse

Avivah Litan (Gartner) sez- "This looks like the biggest breach ever disclosed, and they're doing it on inauguration day?"... "I can't believe they waited until today to disclose. That seems very deceptive."

"Deceptive"? Either this guy is on drugs or is a total conspiracy theory bonehead. Is this the best the WAPO can do on Inauguration Day?

As someone who does computer forensics, when there is an ongoing investigation, there is a balance between the flow and timing of information and public knowledge.

The objective is to cooperate with the proper law enforcement authority and make announcements in a timely manner to ensure that does not impact the ongoing investigation process. It is also imperative that there is coordination with the legal department or outside counsel as to options to properly inform the public, without jeopardizing an internal audit or investigation.

Posted by: Computer_Forensics_Expert_Computer_Expert_Witness | January 20, 2009 2:26 PM | Report abuse

Well, now that former employees of the Bush-Cheney administration and their contractors can start mining all that data collected by federal computers, we can all hunker down and hope we aren't among the counted.

We tried to get identity theft prosecuted - less than no interest, even though they had photos of many transactions.

There is no privacy - and the liberals don't seem to care any more than the rightwingnuts have cared.

Posted by: practica1 | January 20, 2009 2:31 PM | Report abuse

Dear news media:

Please DON'T let this story get buried in inauguration festivities. It is big news. Please roll the wave forward for a few days until it breaks!

Posted by: ghostmoves | January 20, 2009 2:44 PM | Report abuse

This company should be shut down for this criminal gross negligence.

Put them into Chapter 7 Bankruptcy.

Posted by: Tom333 | January 20, 2009 2:45 PM | Report abuse

Investigators should be looking for a common thread, such as a consulting firm or individual consultant or employee, possibly employed by more than one of the affected processors. Most financial processors have gone to significant and appropriate lengths to protect their enterprises from attack or intrusion over the network. While there are still ways to hack in through the firewalls, it's an awful lot easier to plant malware while logged in as a programmer or engineer with valid security credentials.

There is also the possibility that the offending code was ported in as a component of a software bundle or vendor product, unbeknownst to the onsite technicians or consultants.

In either case, cross referencing contractors, employees, and software amongst the processors might turn up one or more "interesting" similarities.

Posted by: mgloraine | January 20, 2009 2:49 PM | Report abuse

This is VERY interesting news. I do agree that the timing, while unfortunate, was probably not intentional to district from the impact of the story.

Perhaps the most interesting element is that it appears the data was collected while "in-flight" rather than stored (which would be a compliance nightmare)

More extensive thoughts are at: http://bit.ly/L0S1

Posted by: tylerhannan | January 20, 2009 2:58 PM | Report abuse

As someone who does computer forensics, when there is an ongoing investigation, there is a balance between the flow and timing of information and public knowledge.

The objective is to cooperate with the proper law enforcement authority and make announcements in a timely manner to ensure that does not impact the ongoing investigation process. It is also imperative that there is coordination with the legal department or outside counsel as to options to properly inform the public, without jeopardizing an internal audit or investigation.


BS, It's the company and law enforcements responsibility to inform the people that may be affected. Since they decide to with hold the info that makes them responsible for all damages. Their investigation does not out weigh their responsibility to notify those affected. This BS has to stop. The first step is Closing down companies like this, second is arresting and charging the detectives involved in the investigation. The 3rd thing is to arrest the CEO of the corp. for falling to follow federal law. Retaining customer info is illegal for this exact reason. On top of that, the banks that were incapable of protecting you and you're money are now trying to sell you protection??? If they were unable to safe guard the data the first time what makes anyone think they have a change in he11 of protecting this time. There just simply making money off of you AFTER LOSING YOU DATA. And you pay for it. It's time for a class action law suite against each and every company that has lost or had data stolen.

Posted by: askgees | January 20, 2009 3:31 PM | Report abuse

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said.

I guess this idiot forgot about this little piece of PUBLIC INFORMATION called a PHONE BOOK. This nitwit needs to be fired immediately.

Posted by: askgees | January 20, 2009 3:45 PM | Report abuse

can anyone explain why this happens and why the country of origin cannot stop it or is the country responisble for cyber terroism?

Posted by: pofinpa | January 20, 2009 4:39 PM | Report abuse

Was this another gift from China?

Posted by: GordonShumway | January 20, 2009 5:04 PM | Report abuse

Mass re-issuance of cards may not be the best response. In the TJX experience, the cost of re-issuing cards far exceeded the actual risk. Alternatives to re-issuance include tighter monitoring of and restrictions on affected card accounts. http://legal-beagle.typepad.com/wrights_legal_beagle/2008/08/credit-card-iss.html --Ben

Posted by: benjaminwright | January 20, 2009 5:04 PM | Report abuse

Are you serious? I am astonished that this information came out on the day of inauguration. I find it to be deceptive that this story comes on the heels on one of the most important days in american history. Now this company must explain to the customers, the clients, the mistakes it has made and file for bankruptucy.

Posted by: JaHarper | January 20, 2009 5:19 PM | Report abuse

Mass reinsuance or other identity theft protections may or may not be warranted depending on how you view the risk, and on whom the risk falls. Obviously the company does not feel that this is a significant risk. Given that their spokesperson apparently does not know how to use a phone book, they clearly aren't seeing the same real world in which most of us live, including the 100 million or so other people who used the service each month. 100 million people is a significant part of the population of every adult person who might legally have a credit card in the US.

The biggest question in my mind is whether this is the only trojan sitting in their system, or is there something else also sending data. Heartland does not seem to be able to say when the discovered code went into their system, nor how long it was sending data, which makes 100 million potentialy compromised accounts a totally wild guess. If they don't know when it went in, are they at all sure there isn't another piece of code still leaking data?

Posted by: gardoglee | January 20, 2009 5:32 PM | Report abuse

Heartland began receiving fraudulent activity reports late last year and they're just announcing this now? I guess they were hoping to bury the story by releasing it today.

These 3rd party processing companies should be made to post the names of the companies that they process transactions for so that people who've done business with them can take appropriate action.

Posted by: laSerenissima2003 | January 20, 2009 6:12 PM | Report abuse

'unfair to mention any of his company's customers.'... Bushwa... If I cannot punish Heartland for their incompetence, I can surely punish the vendor for their use of Heartland... Interesting that they did not have the expertise on staff to find this thing... cutting corners ? or outsourced outside the country ?

Posted by: smallcage | January 20, 2009 7:00 PM | Report abuse

The quote above is that no one company represents more than one/tenth of one percent of their volume. I wonder how he calculated that since I just did a count from our company database and we have record of over 300,000 distinct credit card numbers that have had transactions approved through Heartland.

Posted by: corpdude | January 20, 2009 7:03 PM | Report abuse

Dude- Timing is everything, especially when it comes to the release of information. If I have a choice of either having them do a trace, e.g. IP addresses or knowledge of the breach, which charges I am not liable for, how am I "harmed" or what are my losses, outside of my credit card number being floating around out there, when they will issue me a new one? So much for litigation and class actions.

I understand John Edwards may be practicing law again and he may take-up your case. Go for it and be the "Lead Plaintiff."

================================
askgees sez- BS, It's the company and law enforcements responsibility to inform the people that may be affected...

There just simply making money off of you AFTER LOSING YOU DATA. And you pay for it. It's time for a class action law suite against each and every company that has lost or had data stolen.


Posted by: Computer_Forensics_Expert_Computer_Expert_Witness | January 20, 2009 7:16 PM | Report abuse

Yeah, this is the exact reason why we should allow Obama and the Democrats to put our medical records online......

Posted by: WildBill1 | January 20, 2009 7:58 PM | Report abuse

Princeton, N.J., payment processor Heartland Payment Systems appears to have saved a buck or two by not hiring a computer security consultant who would have checked their Information Technology infrastructure to ensure that malicious code is unlikely enter their system and, if it does, it is immediately detected and removed. It sounds as if Heartland Payment Systems is blowing this incident off as mainly a Public Relations problem. I'm waiting in this incident for a public finding of fault. I won't hold my breath.

Posted by: BlueTwo1 | January 20, 2009 8:09 PM | Report abuse

Don't blame law enforcement, they keep us in the dark and don't cooperate. They don't want to lose customers. Tell us as little as possible, and require long and laborious procedures even when you (the card holder) are the victim.

Posted by: skipm | January 20, 2009 10:26 PM | Report abuse

askgee, since when is retaining customer information illegal? By your logic, you would be arresting virtually every CEO of every business-to-consumer operation; from Amazon, Walmart to UPS to your local library to etc...

Although, I don't see a need for retailers (like TJ Maxx) to retain credit card numbers for an extended period. That's pretty much the point of transaction IDs...which is all they need to store.

Posted by: steve-o2 | January 21, 2009 12:05 AM | Report abuse

Heartland should absolutely be billed by each provider to replace the cards! Otherwise do you realize what happens? It may only be a small percentage of cards that end up being used fraudulently, and the cardholders are not responsible for the charges, then who? For each card that is used fraudulently - say a dozen or so times before it is noticed and frozen - there are a dozen or so innocent merchants who end up paying in a chargeback fee and cost of stolen product.

Posted by: washingtonpost22 | January 21, 2009 1:50 AM | Report abuse

Excellent article!!, and some interesting comments above.

Note that the reported method of compromise was the interception of card data as it traversed Heartland's network. So the issue of data retention and storage with respect to PCI compliance is not currently in question.

Also noteworthy is that the reported compromise vector is remarkably similar to the recent Hannaford grocery chain compromise. Hannaford reportedly had just passed a rigorous PCI comlpiance analysis shortly before hand. The time has long passed for the requirement that transaction data be encrypted from the point of origin, card swipe. I am not confident that the data is secure and above hacking from any point in the network, beginning at the point of origin, through the approval submission process, and all the way to the acquirer bank.

Though Mr. baldwin states that CNP fraud resulting from this breach is less likely due to the card holders address being absent, however, the lack of a matching 3 digit cvv2 number may be a greater deterrent than the lack of an address. In either case that still leaves card cloning, which gives more than enough of an area for fraudulent use.

The TJMAX criminals were known to have cloned some of that card data on to used gift / prepaid debit cards. Unwary merchants ignored cursory checks as they perceived them to be prepaid cards. There is little solace with respect to potential fraudulent use in the fact that the compromised data lacked addresses.

It is also known that cyber criminals can set up their own CNP merchant accounts, and process stolen card data into cash. Possibly turning off the AVS and cvv2 requirement in the process.

Posted by: -MGD- | January 21, 2009 3:06 AM | Report abuse

Recently a friend and I were in a store. We both made credit card transactions and went our separate ways. Subsequently we each made several transactions totaling about $500 apiece. Several days later I noticed that the last four card digits on a transaction receipt didn't match those on my card.

After a few calls and discussion with my friend, we realized that the clerk in the first store had inadvertently handed us each others cards after our transactions were complete, and that we'd been using each others cards for a few days.

Obviously, the signatures from the later transactions didn't match the name on the card. The transactions were accepted by the store, processed by the two credit card companies and appeared on each others monthly statements.

Obviously, the two of us had been making what were essentially fraudulent transactions and were totally clueless about it. This only shows how simple it is to commit fraud and how unlikely it is that an individual doing this intentionally would be caught at the point of sale.

Posted by: dmcc11 | January 21, 2009 9:22 AM | Report abuse

Brian,

Good work. You got mentioned in the Yahoo TECH section. Paste below.

Kevin

Massive Theft of Credit Card Numbers Reported (PC World)


- A payment processor responsible for handling about 100 million credit card transactions every month disclosed today that thieves had used malicious software in its network in 2008 to steal an unknown number of credit card numbers.

The company's information site on the incident, http://2008breach.com/, attempts to downplay the loss of data by asserting that no Social Security numbers, unencrypted PINs or other types of data were stolen. But according to some good reporting from Brian Krebs at the Washington Post, Heartland's CEO says a piece of spyware stole payment card data as it passed through the company network, including the data from the magnetic stripe that can be used to create counterfeit cards.

Heartland says it didn't discover the breach until Visa and Mastercard came knocking about suspicious activity involving card numbers processed by Heartland. Disheartening, to say the least.

It's all the more sad that we as consumers really can't do a darn thing to protect ourselves against this kind of theft. We can be incredibly careful with our own PC and data, but we have no control over how it's handled by the plethora of companies that store and process our information. All you can do is to keep an extra close eye on your credit card statements and credit reports for anything suspicious.

You can pick up free credit reports from https://www.annualcreditreport.com (avoid those slimy sites that try to get you to pay for them). Also, as you scan your credit card statements, be on the lookout even for small charges, possibly even less than a dollar. Such charges can be a sign that thieves are testing the account to see if they can pass a fradulent charge, and may signal a much larger charge to come.

For more info on the Heartland theft, see Krebs' Security Fix posting and the Heartland disclosure site. And yes, you have to wonder about disclosing this on a day when most everyone's attention is focused elsewhere.

Posted by: fearturtle44 | January 21, 2009 9:31 AM | Report abuse

Interesting comments on this breach. I assume the comments about the malware being on the network really meant it was installed and capturing on a server, Seeing that switched networks don't allow this capturing to occurring unless arp poisoning is taking place from another device. So the real question should be, what device was actually infected and how did such code get dropped on to that device that could capture network traffic. Lastly, how would the device have sent out such traffic to the Internet if appropriate egress controls are in place on the DMZ.

Posted by: dmallor | January 21, 2009 9:43 AM | Report abuse

Chimicles & Tikellis is investigating a potential class action lawsuit against Heartland Payment Systems (“HPS”). HPS, a publicly traded company, processes credit card transactions and provides other services for over 250,000 businesses across the country, including restaurants and small retail stores. HPS reportedly handles approximately 100 million credit card transactions per month.

HPS recently announced that certain data that it maintains in its processing systems had been accessed by outside hackers in 2008. It has been reported that this compromised information includes debit and credit card numbers, expiration dates, and internal bank codes. According to reports, HPS only became aware of the breach after it was notified of patterns of fraudulent credit card activity by Visa and MasterCard. The incident has already been described as the largest credit card data breach ever.

If you have reason to believe that your credit card, debit card, or other sensitive personal information may have been compromised as a result of the recent data breach at HPS, please contact the attorneys below.

Attorneys to Contact:
Joseph G. Sauder (JosephSauder@chimicles.com)
Benjamin F. Johns (BFJ@chimicles.com)
Matthew D. Schelkopf (MatthewSchelkopf@chimicles.com)
361 West Lancaster Avenue, Haverford, PA 19041 Phone: 610-642-8500

Posted by: js101 | January 21, 2009 10:10 AM | Report abuse

Chimicles & Tikellis is investigating a potential class action lawsuit against Heartland Payment Systems (“HPS”). HPS, a publicly traded company, processes credit card transactions and provides other services for over 250,000 businesses across the country, including restaurants and small retail stores. HPS reportedly handles approximately 100 million credit card transactions per month.

HPS recently announced that certain data that it maintains in its processing systems had been accessed by outside hackers in 2008. It has been reported that this compromised information includes debit and credit card numbers, expiration dates, and internal bank codes. According to reports, HPS only became aware of the breach after it was notified of patterns of fraudulent credit card activity by Visa and MasterCard. The incident has already been described as the largest credit card data breach ever.

If you have reason to believe that your credit card, debit card, or other sensitive personal information may have been compromised as a result of the recent data breach at HPS, please contact the attorneys below.

Attorneys to Contact:
Joseph G. Sauder (JosephSauder@chimicles.com)
Benjamin F. Johns (BFJ@chimicles.com)
Matthew D. Schelkopf (MatthewSchelkopf@chimicles.com)
361 West Lancaster Avenue, Haverford, PA 19041 Phone: 610-642-8500

Posted by: js101 | January 21, 2009 10:11 AM | Report abuse

There is a simple and effective way to combat this type of breach...Encryption throughout the lifecycle of the transaction. Yes, even (and especially) on the internal (trusted) network of the card processing entities. If PCI would mandate this, it would go a long way IMO. Hannaford and now Heartland. This is a trend with no end in sight under the current mindset.....

Posted by: InfoSecDude | January 21, 2009 10:59 AM | Report abuse

Brian - the comments placed against http://www.washingtonpost.com/wp-dyn/content/article/2009/01/20/AR2009012003674.html have been lost. Can you move them here since the link has been redirected?

Posted by: Sadler | January 21, 2009 11:19 AM | Report abuse

See www.D50.org

This was predicted years ago.

Posted by: Sadler | January 21, 2009 11:22 AM | Report abuse

What amazes me is that the title of the news feed that I receive from The Washington Post was titled: "Technology: Digital Switch May Not Be Smooth". This revelation about Heartland Payment Systems is much more important than the digital switch, yet the Post did not consider it to be front page news or the feature story of the news feed. Why not?

Posted by: 22busy | January 21, 2009 11:45 AM | Report abuse

Name the businesses so the consumer can choose to use that business or not. Or make sure all fraud against the individual customer/s are paid by the data processing service (make sure the customers do not get hurt in any way, afterall, the card usage may be easy for everyone, but it's really to make the people spend money without much thought). Go and Find the Guilty, don't just rely on the Police; you are the one responsible for processing these information and you should take actual pysical and Fiscal responsibility for such a breach of security of the poor consumers.

Posted by: SOCIETY1 | January 21, 2009 11:56 AM | Report abuse

Check out this site for the latest on what digital security technology has to offer. you might be surprised at how much is actually out there available to be used at this time.

http://www.justaskgemalto.com

Posted by: ThomasWhitney | January 21, 2009 1:16 PM | Report abuse

Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome.

Posted by: johnfranks999 | January 21, 2009 1:24 PM | Report abuse

Pay cash.

Posted by: cathyvv | January 21, 2009 1:28 PM | Report abuse

Many people who work directly for the CEO/CIO DO know what should be done to secure our source-code and data, but don't have the guts to tell them (and then get "canned").

There are tools to control access to software source (IBM/Rational ClearCase is probably the most popular) and McCabe Software has "Structured Testing" tools to reveal untested software. Lots of companies want to stick with their home-made code control systems and don't want to invest the time/money in performing proper testing. Easier to claim "ignorance" when bad things happen ("No one could have imagined..." - sound familiar?)

Posted by: Sadler | January 21, 2009 2:08 PM | Report abuse

A technology solution based on Identity-Based Encryption (IBE) and Format-Preserving Encryption (FPE) definitely eliminates this type of threat. Someone snooping traffic between the Processor and an upstream clearer would have seen only encrypted data. This innovative encryption approach obviates the need to overhaul existing system formats, and IBE provides an elegant federated security model that matches the existing processing architecture. More details at http://superconductor.voltage.com/2009/01/heartland-data-breach.html

Posted by: WasimA | January 21, 2009 2:33 PM | Report abuse

Brian - I found them:

=======================
How about we offer FREE credit card cancellation and NO INTEREST on the balance until it is paid off.

Reduce the CEO's salary to $1 and no bonuses for anyone until the mess is cleaned up.

Nothing will be learned until we teach the "big heads" a lesson.
=======================
Perhaps these thieves didn't need address information. Perhaps the data was used to purchase thousands of homes and immediately relist them for 10% more. I remember a Chicago Tribune article about a dead man being found in a home that had been bought and sold two or three times. He had been sitting there in a chair the whole time!

I want to know if the company controlling access to the software employed H1B workers, or if any of the work was off-shored.

There is NO excuse for not knowing who accessed the code each time it was modified and what was changed. "Structured Testing" should be used to verify all modified code was tested. There are TONS of people working in the software world who know these things should be done, but don't want to spend the $$money$$ doing them. IBM Rational's ClearCase is the tool for controlling the code (tho many misuse this tool) and McCabe Software makes the Structured Testing tools (very few companies use this one).

Perhaps a lesson from the Chinese - "off with their heads..." (China To Execute Chief Food Inspector)
=======================
And Brian - this is the very issue I raised in one of your discussions years ago. You "poo-pooed" the idea saying external attacks were more important to worry about. I never said we should not worry about external attacks - but the fact is, per incident, an internal attack could be more damaging as the attacker already knows what to access.

I still believe the next 9/11 will be through software (perhaps the financial crisis WAS the next 9/11...lol). What was the cost of 9/11 compared to the cost of the current financial "issues"?

Posted by: Sadler | January 21, 2009 2:54 PM | Report abuse

I'd bet Heartland is NOW one of the most secure companies in the world! and will probably be watched like a hawk.
So, I'd probably feel more comfortable using this company.
There's not much hackers can do with an encrypted card data anyway.
Every business you use your at, has this information anyway. The local waiter is more likely to steal you information.

Posted by: shoppers | January 21, 2009 3:27 PM | Report abuse

These megabreaches overshadow the hundreds if not thousands of microbreaches that very likely occur through smaller merchants such as businesses, not-for-profits, schools, and local governments that compromise cardholder information daily without even noticing.

Small merchants as these are no less responsible than Heartland is for safeguarding information and complying with the Payment Card Industry Data Security Standard (PCI-DSS). Compromising even a few cardholder's accounts can lead to a public relations nightmare and financial liability. (See http://www.PrivacyDiary.com "Do you Accept Credit Cards? Beware. Jan. 21, 2009).

There are regulations and laws that govern when consumers should be notified. Consumers should be aware that premature disclosure of an incident may put more consumers at risk. For example, see http://www.JCampana.com "Wisconsin Contractor and State Expose Residents to ID Theft in Super Breach")

Consumers should also understand that an organization can do everything reasonable to protect information and still experience a breach. There is always risk. There are factors beyond the organization's control. Whether Heartland took reasonable and appropriate safeguards remains an open question.

There is a lot of strong and unforgiving language used by consumers to describe this breach.

If your home was broken into and robbed are you necessarily negligent, irresponsible, an idiot, or deserve to be put into foreclosure? Some may suggest that depends on what you did to prevent the burglary? Did you take reasonable and appropriate steps or not, and who should judge whether you did or not? Your neighbors or a security specialist?

Posted by: iamplatinum | January 21, 2009 5:19 PM | Report abuse

I worked in credit card fraud investigations. All someone needs is your name and you are a victim. I would have to call people about fraud who had not lost their identification and they were victims. With your name they will make up the rest and with enough inquiries the fraud address appears in the credit bureau enough times to start reporting as your address, from there you are a victim and then they have your identity and credit.
This company doesn't think it is worth fraud protection? Even $1 is worth protection. It appears they are taking this lightly and us the consumers will end up paying for the millions of dollars in fraudulent charges and new security to cover them.

Posted by: worrieroffinances | January 21, 2009 5:33 PM | Report abuse

A real shame this was removed from the main page to the "geeks" page. Few will read it here.

Posted by: Sadler | January 21, 2009 6:15 PM | Report abuse

Did this company have a SAS 70 and if so who did it.

Jeffrey M. Tilton, CFE
516-967-3179

Posted by: jtilton468 | January 21, 2009 8:15 PM | Report abuse

Of course they can determine when the malicious software was placed on their computers,.......do they think that the world is stupid? Any responsible database is backed up all of the time. Just reviewing those backups (one by one) for the presence of the bad software would pinpoint when it was injected into their systems. They have probably done this already and are afraid to say how LONG they have been working in a compromised state. The Forensic Accountants they hired ascertained this information and where it was being sent to in the FIRST report that they made to Heartland Payment Systems.
Heartland Payment Systems are "spinning/controlling the situation by reducing the flow of information to you, the consumer, as much as possible.

Posted by: realneil | January 22, 2009 9:27 AM | Report abuse

What I want to know is, WHICH merchants use their service?

"Baldwin said it would be unfair to mention any one of his company's customers."

Well, not half as unfair as when my money is stolen from my debit card account and my bank denies a claim for remuneration because "you should have kept better control of your PIN number"...

Posted by: vaporland | January 22, 2009 9:50 AM | Report abuse

Vaporland,... did what you describe really happen to you?
If so,....I would consider using another bank because THAT would piss me off.
The system of Debit/Credit card transactions is heavily in the favor of the card issuer making tons of money off of the card holder.
The fees are ridiculous and the way they post transactions, delaying sometimes for days, to your account should be criminal.
Electronic transactions poll the account to see if there is money there to make the sale first. This happens in real time. Why don't they post in real time? It's possible to do,.......the answer is that by delaying transaction, they make a fortune in extra fees. You go online to see your account balance,...but it's not accurate. You may not be aware that your spouse bought something lately, bringing your balance low, and you purchase something else,...causing the account to dip into overdraft,... for huge fees. Banks make a killing off of these fees. They'll fight tooth and nail to preserve it,...but it's a dishonest way to do things when they have the capability to post electronically, in REAL TIME.

Posted by: realneil | January 22, 2009 10:48 AM | Report abuse

Lets look at this from the bankers perspective! Consumers will not lose a dime on this breach, bankers will lose tons of money. We felt this breach in November...lost a bunch of money in three days!!!!! Customers were hit with transactions in stores all over the mid atlantic states. We contacted numerous officials with no support whatsoever. It's time to make the merchants and their vendors accountable!!!!

Posted by: banker101 | January 22, 2009 11:32 AM | Report abuse

Brian,

I told you about this issue a year ago and you erased my posting. Merchants and Processors are not required by PCI to encrypt on thier internal networks. This needs to be fixed. No one should be surprised by this, and no one knowledgable is.

Posted by: rogernebel | January 22, 2009 1:08 PM | Report abuse

I have a Visa card through FIA Card Services that had three fraudulent charges made in December and January. One on my original card then 2 within days of receiving the replacement card. I called FIA -- they are well aware of the Heartland breach and have flagged affected accounts already, sending out letters to those cardholders.

Posted by: salsanchips | January 22, 2009 1:41 PM | Report abuse

@Rogernebel -- Unless your post included profanity, ad hominem attacks, link to nasty Web sites or something else that violates our blog policy, I did not delete your comment. In fact, I rarely ever delete comments. Look through the stuff I let sit up in here enough and I think you'll come to that same conclusion yourself.

Perhaps you are referring to this post, in which I actually talk about the issue you're raising here (lack of encryption of internal networks):

http://voices.washingtonpost.com/securityfix/2008/03/hannaford_breach_may_presage_0.html

Posted by: BTKrebs | January 22, 2009 6:51 PM | Report abuse

This company has excellent customer service, no contracts or cancellation fees,very reasonable rates, AND HAS NEVER HAD A SECURITY BREACH. As a business owner, I have never had any issues with them, and plan on keeping them as my processor for a very long time. My sales rep was Danielle at (877) 877-9592.

Posted by: sandra_jean | January 23, 2009 10:03 AM | Report abuse

This is incredibly shady. The malware was installed on the portion of the Heartland network that sends the transaction data from point a to point b inside Heartland without any encryption. Key word: "inside". Additionally, all the sales reps from competing firms (many former H-land reps amongst them) are saying this supposedly started happening last May, and Heartland suddenly got around to hiring a security officer in June. Suspicious timing?

It just looks like this place got hacked by one of their own employees, and the company is so ashamed by it that they completely dropped the ball on doing anything responsible about the situation. Now we know; all those credit card processing sales reps really are as shady as they always seem to be.

Posted by: hiberniantears | January 23, 2009 11:12 AM | Report abuse

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said.

I guess these poeple know nothing about the way debit and credit cards really work. The criminals don't want your address! All they are going to do with your address is mail oder telephone order transactions, which the issuers would have dispute rights. With the track one and track two information they received from the compromise they can make counterfeit plastic. This shows the issuers card was present during the transaction and the issuer is fully responsible for the transactions made with this counterfeit card. This gives the crooks access to purchase anything they want on the issuers dollar. Why should the issuers remain fully responsible because the merchants and processors aren't securing their networks! The losses are astronomical from this compromise, quit playing it off as if there isn't any losses. I would bet more than 80% of most financial insitutions losses in 2008 are a result of this compromise. Not to mention the amount of money that it is going to cost the issuing banks to reissue their cards. MAKE THE COMPROMISED MERCHANTS AND PROCESSORS RESPONSIBLE!!

Posted by: scrist1 | January 23, 2009 11:20 AM | Report abuse

It's time CONGRESS did what they're hired to do, work for you and me and not big money... companies must have an audit of security every day... encryption of any data.. all those laptops with SSN's... in China this butthead Baldwin would be executed! Time to follow their example.

Posted by: kkrimmer | January 23, 2009 8:25 PM | Report abuse

In response to the questions Posted by: dmallor | January 21, 2009 9:43 AM

'...Interesting comments on this breach. I assume the comments about the malware being on the network really meant it was installed and capturing on a server, Seeing that switched networks don't allow this capturing to occurring unless arp poisoning is taking place from another device. So the real question should be, what device was actually infected and how did such code get dropped on to that device that could capture network traffic. Lastly, how would the device have sent out such traffic to the Internet if appropriate egress controls are in place on the DMZ.'...

Ine posibility is through Cisco Routers! I was reading an article about how the manufacturers overproduce and sell the uverage under false labeling and or with duplicate serial numbers... these overproduced routers were also purchased by scammers and their 'CHIPS' were replaced with chips that had some kind of 'Malware' or 'KSLs' and forwarded the data alledgedly to china.

There are thousands of digital equipment manufacturers worldwide and the condition, (Over Production) and reselling bogus equipment, modified 'Firmware' and the like are likely to increase as things look now!

Search google for cisco routers and you'll likely find the article and more on the subject


Posted by: unionofconcernedcitizens | January 26, 2009 3:20 PM | Report abuse

This company has a lot of different options at affordable prices.The equipment is already up to date and has always met every PCI copliance law reguarding security.

Posted by: msidonna2167 | January 28, 2009 11:20 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company