Heartland Follow-Up and the Real Problem with Security
Posted by: gsmckee4 in Recent NewsBusiness Week has published a pretty good article on the Lessons Learned from the Heartland Data Breach. I think the title is a bit misleading though. There aren’t really any lessons learned, at least as far as what we in the security industry would call lessons learned. Now from a business point of view it does highlight the need to try and get out in front of a story.
The original draft of this post had me summarizing the Business Week article with a bit of commentary here and there. As I reread it I realized that I wasn’t really adding anything and what I really wanted to accomplish had very little to do with the timeline and a lot to do with disclosure.
All in all I can’t really fault Heartland on the public relations side of this security incident. The only two items that don’t seem to jive for me is the claim that Robert Carr, the CEO at Heartland only found out about the breach at 10:30 PM the night of Monday January 12th and the claim that they didn’t try to bury the disclosure in the middle of the media storm that was the Inauguration of President Obama.
As the article pointed out, Heartland was informed by VISA in October 2008 that there appeared to be signs of a breach based upon card issuer’s reports. Heartland took the information seriously enough to go out and hire two forensics companies to examine their systems. Now I know that Heartland is a big company but when you add up the costs involved in having two different forensics companies come in for at least two months and couple that with the possible implications of a data breach of this magnitude I find it hard to believe that Robert Carr wasn’t at least aware of a critical potential problem before the phone call on January 12th and if he truly wasn’t then he wasn’t doing his job.
The second point is the accusation that Heartland tried to bury the story by making their public disclosure in the midst of the media storm surrounding the Inauguration. Heartland claims that they couldn’t disclose the details until law enforcement were finished with their initial assessment and that they did so “as soon as was practicable.” It is true that they couldn’t make any announcement in the midst of an investigation but don’t insult my intelligence by implying that the release date and time wasn’t by design.
Now that I have that off of my chest let me move on. It is easy to sit out here on the Net and snipe but let’s look at the situation objectively. Heartland was compliant with industry standards and guidelines. When they were notified of a possible breach they began an internal investigation. This investigation most likely involved spending massive amounts of money in the retention of not one but two separate companies that specialize in digital forensics. When they received official notification that a breach had occurred (Supposition would lead one to conclude that the final document was delivered and briefed to someone at Heartland most likely on January 12th.) they informed the appropriate authorities. After law enforcement concludes their initial assessment they make a public announcement and own up to the facts rather than trying to pass the blame on to anyone else. They follow this up by personally contacting their customers, either in person or by phone. Since then Carr has spearheaded an effort to encrypt card data at the point of collection as well as co-founding an organization to share security within the payments industry.
I’m sorry but I can’t find anything to fault here and quite a bit to praise. I predict that in the years to come the Heartland Incident will become a case study in how to respond to a security incident. All too often companies try to play the blame game and dance around on the issues. I think that had Heartland done this they would have taken a bigger hit and garnered a lot more media attention than they already have.
Not that this has been painless for Heartland says that they lost a few hundred customers; their stock price lost 78% of its value and is currently trading at about 50% of what it was worth prior to the announcement. They have spent something on the order of $12 million dollars in remediation and mitigation activity thus far. Expect that number to go up. TJX is reported to have spent $171 million.
Was Heartland negligent in some way? Well that has yet to be seen but based upon the information we have thus far I’d venture to say that they weren’t. Negligence is the failure to exercise the care toward others which a reasonable or prudent person would do in the circumstances, or taking action a reasonable person would not. If they were compliant with industry standards and guidelines coupled with responding appropriately when notified of a problem then I would say that would constitute exercising due care commensurate with a reasonable or prudent person’s actions.
Now if Heartland isn’t to blame, who is? There is the assertion that PCI is to blame. Personally I’m not a fan of competing standards. I just don’t see why we need so many different standards when we obviously are just repeating ourselves in varying levels of detail. All that said I’m not so sure it is the fault of PCI or any other standard that Heartland could have applied. What I believe the issue to be is in the application and measurement of standards and guidelines. All too often we take an audit mentality when we talk about complying with standards and guidelines. When we do this we distill everything down into some sort of checklist and then equate this with being secure. You pass the audit you are secure; you fail the audit you are not secure. The Heartland Incident is just another example of this being a false premise.
Now I don’t want to appear to be advocating the proverbial throwing the baby out with the bath water. What we need to do is find some way to encourage and support companies to make informed risk based decisions about security. We can utilize standards and guidelines as frameworks upon which to build sound security practices but we also need to find a way to support companies to make security decisions based upon acceptable risk and not compliance.
But do you want to know what the kicker is to all of this? It is that if we do this then we will eventually come across a company that does all the right things and still has a security breach. That will be the moment of truth. How do we react? Do we support the company for doing the right things and making sound risk based decisions or do we slam them for non-compliance with an arbitrary set of standards and guidelines?
If we slam them then we are right back to where we are now. Stuck in the quagmire of checklist/compliance driven security which we know doesn’t work. If we support them and use the security breach as an opportunity to learn from the mistake in order to improve then we’ve turned the corner.
I’m not saying that I have all the answers either. There has to be some measure of incentivizing companies to incorporate security into their processes other than forcing compliance with a law or regulation. I’m just not quite sure what that is. I do know that what we are doing now isn’t working.
Entries (RSS)