Heartland Payment Systems breach could be massive

Technorati Tag:

Date Reported:
1/20/09

Organization:
Heartland Payment Systems

Contractor/Consultant/Branch:
None

Location:
Princeton, New Jersey*

*Heartland Payment Systems has sites across North America

Victims:
Credit and Debit cardholders

Number Affected:
Unknown, "the company is not yet ready to disclose the number of credit card accounts affected"**

**"Heartland handles over 4 billion transactions per year", Source: Heartland Company History

Types of Data:
"digital information encoded onto the magnetic stripe built into the backs of credit and debit cards"

Breach Description:
"A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have compromised tens of millions credit and debit card transactions, the company said today."

Reference URL:
Heartland Payment Systems
InformationWeek
Washington Post

Report Credit:
Heartland Payment Systems

Response:
From the online sources cited above:

NOTE: This breach is very significant and potentially affects millions of credit and debot card holders from multiple credit and debit card companys, regardless of bank or card issuer.  In this section, we will first explore the press release before moving on to additional facts found discovered by others.

HEARTLAND PAYMENT SYSTEMS PRESS RELEASE:
[Evan] I have to say that this is one of the worst press releases I have ever read announcing a breach.  I'll comment below.

Princeton, NJ — January 20, 2009 — Payments processor Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. Heartland believes the intrusion is contained.
[Evan] The very first sentence in the press release states that Heartland is the victim.  In my opinion, it is rarely a good idea to announce yourself as a victim when you are the custodian of confidential information.  The owners are truly the victims.

"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer.
[Evan] Heartland was actually alerted by Visa and MasterCard.

"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach.
[Evan] So what?  I want to know what information WAS involved.

Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.
[Evan] Again, I don't care about what Heartland systems were safe.  I want to know what information wasn't safe.  There is no mention of the specific data that was actually compromised anywhere in the press release.

After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter.

Last week, the investigation uncovered malicious software that compromised data that crossed Heartland's network.

Heartland immediately took a number of steps to further secure its systems.

In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.
[Evan] This sounds like network intrusion detection/prevention, which has been around for quite some time.  Network intrusion detection/prevention employing anomaly detection is used by many organizations processing much less sensitive information.

Heartland has created a website — www.2008breach.com — to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers.
[Evan] This web site is nothing more than the press release and Q&A with regurgitated press release information.

Cardholders are not responsible for unauthorized fraudulent charges made by third parties.
[Evan] Not directly anyway.  The money comes from somewhere (banks) and the costs will be passed on.

"Heartland apologizes for any inconvenience this situation has caused," continued Baldwin.

"Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective."

FROM OTHER SOURCES:

A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have compromised tens of millions credit and debit card transactions

If accurate, such figures may make the Heartland incident one of the largest data breaches ever reported.

The data breach could turn out to rival the massive breach reported by TJX in 2007, which affected as many as 94 million credit card accounts.

Robert Baldwin, Heartland's president and chief financial officer, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments.
[Evan] According to this statement, it appears as though fraud has already occurred.  This is important information to keep in mind as you read more below.

Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country.

He declined to name any well-known establishments or retail clients that may have been affected by the breach.

Baldwin said it would be unfair to mention any one of his company's customers.

"No merchant of ours represents even [one-tenth of one percent] of our volume, and to put out any name associated with what is obviously an unfortunate incident is not fair," he said.
[Evan] This is an indication of how widespread this could get.

"Their customers might end up having their cards used fraudulently, but that fraud might turn out to have come from their store, or it might be from another Heartland store and no one will ever really know."
[Evan] Exactly, and this makes this a very scary breach.

Baldwin said it wasn't until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.

Baldwin said that the breach was the result of keylogging malware, which covertly captures anything typed on an infected computer, such as user names and passwords.
[Evan] How could a computer connected to a network that carries extremely sensitive information become infected with malware?  There are many ways in which malware can find it's way into an organization, but on a network like this?

"There were two elements to it, one of which was a keylogger that got through our firewall," he said. "Then subsequently it was able to propagate a sniffer onto some of the machines in our network. And those are what was actually grabbing the transactions as they floated over our network."

Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised.

The stolen data includes names, credit and debit card numbers and expiration dates.
[Evan] Finally, we get an indication of what data was compromised.

"The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we don't know the magnitude of what was grabbed."

The company stressed that no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were jeopardized as a result of the breach.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards.

Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said.
[Evan] This maybe true in some card-not-present transactions, but means nothing for data written to physical cards.  People can make credit cards out of any card with a magnetic strip; gift cards that you can pick up at the Target checkout, blank cards bought online, etc.  For people who want to go the card-not-present route, it may not be difficult to find an address if given a name.  Mr. Baldwin's statement here means little.

As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants "is not impossible, but much less likely."
[Evan] Again maybe this holds true for ONLINE merchants, but means nothing for PHYSICAL merchants.

In many cases where a processor experiences a breach, the affected banks may simply re-issue new cards to some customers.
[Evan] Which costs the bank $10-12 per card by some estimates.  The bank pays for the fraudulent charges by not holding legitimate cardholders responsible AND/OR reissues cards at 10-12 bucks per card.  The costs add up quick and will likely be passed on to all customers.  We all end up paying eventually.

It is unclear whether consumers who receive new account numbers from their bank will ever be able to definitively tie the re-issuance to the Heartland breach.

Baldwin said it was not appropriate for Heartland to offer affected consumers credit protection or other identity theft protection services.

"Identity theft protection is appropriate when there is enough personal information lost that identity theft is possible," he said.
[Evan] Not identity theft, just credit/debit card fraud.

"At the same time, we recognize and feel badly about the inconvenience this is going to cause consumers."

Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing of Heartland's disclosure -- a day in which many Americans and news outlets are glued to coverage of Barack Obama's inauguration as the nation's 44th president.

"This looks like the biggest breach ever disclosed, and they're doing it on inauguration day?" Litan said. "I can't believe they waited until today to disclose. That seems very deceptive."
[Evan] After reading the horrible press release and supporting information, I tend to agree with Avivah Litan.

Baldwin said Heartland worked to disclose the breach last week.

"Due to legal reviews, discussions with some of the players involved, we couldn't get it together and signed off on until today," Baldwin said.

"We considered holding back another day, but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility."
[Evan] Transparency?  Please.

"There are a host of things we didn't go into that we're implementing, some larger, some smaller, all of which are designed to say, 'Okay, we had a commitment to high security. We were PCI compliant -- that was certified in April of last year. Yet we had this problem. Clearly we need to do more.' So our IT team is implementing as many additional precautions as it can as quickly as possible."
[Evan] Wait?!  PCI compliance doesn't equal "high security"?  The answer is NO.  It's a start.

If this data breach represents heartache for Heartland, security vendors see it as an opportunity to play doctor.

"As the Heartland breach illustrates, you can be PCI compliant and still be breached," said Phil Neray, VP of security strategy at database security company Guardium, in an e-mailed statement. "Good compliance does not mean good security."
[Evan] Exactly.

Commentary:
There is still too much information missing.  Personally, I am very displeased with Heartland's response and spin.  It's disappointing.  Effective communication is a critical piece of a good incident response plan.  Poor communication can be more destructive to a company than the breach itself.

There are many missing facts.  If fraud has already taken place AND it can be tied to this breach, then I think we have a very big problem on our hands.  If not, we still know that the potential is there.  Who would think that a little piece of code (the malware) could cause so much trouble?  What can you learn from this and put into practice in your organization?

I am always interested in your thoughts…

Past Breaches:
Unknown

 
Trackbacks
  • No trackbacks exist for this post.
Comments
Page: 1 of 1
  • 1/21/2009 4:18 PM Dissent wrote:
    It has been tied to fraud. See this post from this afternoon. I contacted Heartland to ask if they would now consider credit monitoring and ID theft restoration services. Guess who hasn't called me back yet?
    Reply to this
  • 1/21/2009 9:14 PM charlesrcurbo wrote:
    From my study of your blog and this subject, it has become obvious to me that there need to be a massive overhaul of the regulation over all types of data bases and there are just too damn may data bases being formed and/or combined very day and it would seem to me like information should be guarded with the same degree of thought as if you were dealing with about 10k cash money for every piece of information you have in your possession regarding people's identity or property to make people regulate it properly. Serious encryption should made be a made a mandatory part of any hardware, software, program or application allowed to be sold or utilized (with a few exceptions) that is capable of storing information. Society needs to start looking at information the same as if each name, date of birth and SSN, etc. was equal to about $10k in cash money, as it is easily converted to about that much cash. At the present, for any information thief, the management of information in this country is like walking into a town with no police, and everybody is on vacation, and there are no locks on any doors and no vidocamera or security equipment of any type is present and everything in the world you want- you can just drive up your trusty old moving van and load it into your trusty old moving van (at you leisure), and drive off laughing. And no one will even know anything is missing! Damn, if I was just a little bit crooked I could be richer than Warren Buffet in a year just accumulating piles of information which I could turn into cash at the snap of a finger. Somebody needs to wake this world up, as we ain't going to be dealing with paper money or paper anything for too much longer and it will soon be like having 6 billion hungry wolves on the other side of the meat you keep behind your door. You might get eaten in the stampede, much less lose your meat. (And then how could you have any pudding)?
    Reply to this

Page: 1 of 1
    Leave a comment