While there have been scores of IT related security incidents and this is definitely not going to be the last, the Heartland Payment Systems incident is noteworthy for the fact that the company in question was PCI compliant. While we have been seeing security certifications such as ISO27001, PCI being introduced and implemented across industry, a key question that rarely gets addressed is the absorption of IT Security initiatives within the organization. No compliance can help when importance of IT Security is not understood. At the end of the day compliance to all security standards is only illusory, reality may be far behind.
Who is Heartland Payment Systems
Heartland Payment Systems™ processes all payments — from credit/debit/prepaid cards to payroll and checks. The website of the company says “helping you navigate through the complexities of payment transactions — and protecting you from the worries, issues and problems that can abound.”
Extract from Press Release on 20.01.09
“We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands,” said Robert H.B. Baldwin, Jr., Heartland’s president and chief financial officer. “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.”
No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland’s check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.
After being alerted by Visa(R) and MasterCard(R) of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.
Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.
Heartland has created a website – www.2008breach.com – to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.
“Heartland apologizes for any inconvenience this situation has caused,” continued Baldwin. “Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective.”
“The news media reports about the type and amount of data that may have been placed at risk of compromise in the data breach have been speculative. Potentially exposed through this breach are card numbers, expiration dates and other data from the card’s magnetic stripe. In a small percentage of cases, the cardholder name of your customers who used a credit or debit card in your store during part of 2008 may also have been exposed. As a cardholder, you will not be held financially responsible for any unauthorized transactions that are reported in a timely way to the card issuer. You should regularly monitor your card and bank statements and report all suspicious activity to your card issuer (in the case of Visa and MasterCard cardholders, that would be the bank that issued the card, not the card brand).” – Mr. Robert O Carr, Chairman and CEO in website www.2008breach.com
What are others saying
Dave Shackleford, CSO, Configuresoft:
The first important point to note about the Heartland breach is that they were, by all accounts, PCI compliant. This underscores the notion that compliance does not equal security, as many tend to believe. Most organizations do not want to spend large sums on security technology and services, as there is rarely an obvious return on the investment. Instead, many companies have taken to spending just enough to “get compliant”, which is a mistake.
Phil Neray, VP/Security Strategy. Guardium:
This breach highlights the need to go beyond ‘old school’ security techniques like simply reading your log. Organizations need to implement technologies such as real-time activity monitoring to catch 21st-century criminals. As the Heartland breach illustrates, you can be PCI compliant and still be breached. Good compliance does not mean good security.
Anthony M Freed
Nearly one month after going public, few details of the Heartland breach have been released, and many questions remain regarding a long chain of events that include both the breach and also an aggressive executive 10b5-1 stock selling plan adopted in early August of last year, the same month the breach is now reported to have ended, but still five months before the breach was announced publicly.
“According to a MasterCard alert, this sniffer program stole card numbers and expiration dates from credit and debit cards processed by Heartland from May 14, 2008, through Aug. 19, 2008, as the information entered Heartland’s payment switch,”
Michael Maloof, CTO, TriGeo Network Security:
The perception that credit card data is ‘safe’ within the walls of a corporation is an illusion that we need to shatter. This form of attack has a very low profile and high payoff, so it’s critical that companies look inward and put their networks under a microscope.
You can get more information about this from