Heartland Payment Systems Breach

index_logo

 

EDIT: See my on personal thoughts here.

 

EDIT: check the comments from Joshua Nieuwsma at the bottom of this Wired Blog Post – Appears to be a Heartland Employee defending and providing some commentary on this situation.

 

EDIT: more detail at Security Fix :  Payment Processor Breach May Be Largest Ever

A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have led to the theft of more than 100 million credit and debit card accounts, the company said today.

….

… it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

-Original-

I saw this "Heartland uncovers malicious software" Press Release:  Some relevant paragraphs snagged:

"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert H.B. Baldwin, Jr., Heartland’s president and chief financial officer. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland’s check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

…..

Heartland has created a website – www.2008breach.com – to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.

I met the CSO (Chief Security Officer) of Heartland Payment Systems at a Society of Payment Security Professionals -  CPISM/A Training Boot Camp in late 2008. I have to say that I was pretty impressed with his knowledge of the Payment Industry, and his more related to this security posture and knowledge of PCI.

What does this mean to you ? If you are a cardholder that shopped at a merchant that HPS was the processor for(you wont know this, unless the merchant contacts you) you need to monitor your statements for fraudulent unauthorized activity.  If you are merchant then you need to contract HPS if they haven’t contacted your already. The good news is that HPS was PCI Compliant – let this serve as an example that PCI Compliance does not prevent breaches, and that Compliance is a snapshot in time, Compliance != Security, and Security is a process.

But although this statement:

"After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network."

Suggests that account numbers were compromised and used to be alerted by Visa and MC.

However, I applaud HPS for alerting the public via a Press Release as well as to create a website for more information. However, I do like others, question the timing the the release.

Also: In case you are wondering if Heartland was PCI Compliant: Listed by Visa as PCI compliant April 30/2008 by QSA Trustwave :

1-20-2009 2-01-18 PM

7 Comments

  1. I agree wholeheartedly.

    The statement: “let this serve as an example that PCI Compliance does not prevent breaches, and that Compliance is a snapshot in time, Compliance != Security, and Security is a process.” is powerful and one that deserves to be understood by a greater audience.

  2. the CEo has sold over 680,000 shares of stock since sept 08. the simple question is “what did the ceo know and when did he know it

  3. It’s too bad that even if someone had solutions to fraud and the resources to capture these criminals that they would not be punished in a way that would deter them or others from engaging in these destructive activities. Laws seem to protect criminals and limit the freedoms of law abiding citizens in the pursuit of criminals. If the payoff is greater than the consequences, then the fraud will continue to grow.

  4. I have read the class action lawsuit and it is clear that Heartland withheld information. Also, Visa has recertified this company. It is their business to make sure their systems are secure. It is their business when they process this amount of transactions to have a fraud team on board consistent with the skills and ability of the secret service who are investigating. It is their responsibility to be proactive rather than reactive. Visa should not have recertified Heartland, period. Had they handled this properly, other companies who process payments would certainly make it their business to make sure their systems are secure by taking .00001% of their profits they make to hire the very best and brightest so that their employees are always more capable than the criminals.

Leave a Comment.