According to the Wall Street Journal the Heartland Payment Systems Inc of Princeton, NJ has fallen victim to a data breach that may have resulted in the unauthorized disclosure of 100 million credit card numbers or more. At this time the company can’t say how many records were lost but it does handle 100 million credit card transactions each month for more than 250,000 businesses nationwide for a total processing volume of $20 billion dollars (according to the companies Q3 2008 Earnings Call). This data breach has the potential to be bigger than the TJX data breach. The data compromised is supposed to be “track data” the crown jewels of credit card information because it allows the attacker to actually reproduce the victim’s credit cards.
Heartland was first alerted to the possibility of a breach by Visa and MasterCard who detected a pattern of fraudulent transactions. Heartland’s investigation has revealed the presence of malicious software on its systems which Heartland’s president Robert Baldwin characterized as “light-years more sophisticated” than the run-of the mill malicious software typically found on the Internet. This raises the possibility that this was a targeted attack as opposed to a “drive-by” infection.
What is also curious is that when I did some looking into Heartland and PCI I found that security and PCI compliance was one of the main selling points of their service based on these two PDF’s I found. (Retail Solutions PCI and RippedOff).
Now I don’t work for Heartland nor do I know anyone who has so I don’t have an axe to grind any more than I have an ass to kiss. It is early days in this data breech story so at this point I’m prepared to give Heartland the benefit of the doubt that they had taken reasonable and prudent measures to protect their data consistent with their industry. I was also able to find a quote from Robert Carr, Heartland’s Chairman and Chief Executive Officer on the importance of security:
We also recognize the need to move beyond the lowest common denominator of data security, currently the PCI DSS standards. We believe it is imperative to move to a higher standard for processing secure transactions, one which we have the ability to implement without waiting for the payments infrastructure to change. We believe that standard to be true end-to-end encryption, and we are committed to launching this new standard in the fourth quarter of ‘09 or early 2010 with several forward-looking clients and industry partners. We believe that the payment world is at risk, relying on virus protection software to protect us from determined criminal organizations.When I add up what I’ve found it appears that once again we have an example where simple compliance with standards does not necessarily equal security. If Heartland was fully compliant with PCI DSS, and I have no reason at this point to believe otherwise, then it should serve as an example to change the perspective we take on securing our information from one of compliance to one of risk. (although I’m admittedly perplexed at why they were storing track data… If they were truly storing full track data, to include the CVV and/or PIN number then that would call into question their PCI compliance. )
This is definitely one to watch in order to see how it develops.
Entries (RSS)