Lack of transparency on Heartland breach
How long can Heartland Payment Systems, Visa and MasterCard obscure the total number of records data thieves swiped in a caper that almost certainly will surpass the TJX hack? Is it 100 million? 150 million?
Once again, we have a case where more transparency would clearly serve the greater good of making the Internet incrementally safer. Instead, what appears to be unfolding is yet another demonstration of plausible deniability by the centrally involved financial institutions, as each tries to dodge liability.
Depending on the results of the on-going investigation, Heartland will face the threat of litigation from issuing banks, merchants and consumers, says Scott Vernick, an attorney with Fox Rothschild LLP in Philadelphia, who specializes in data breach cases.
” The businesses that use Heartland as a credit card processor, as well as thousands of consumers, will be anxiously watching for any negative impact, including harm to their business reputations, and the real possibility of identity theft or fraud,” says Vernick.
Heartland insists that anouncing the breach on Inauguration Day was pure coincidence. Let’s grant them that, and focus on the months before the announcement. Heartland President and CFO Robert Baldwin has been accessible and forthcoming–to a point–in two interviews I’ve had with him.
He says Visa and Mastercard tipped Heartland off to a likely breach of Heartland’s systems last fall. He also told the New York Times that malware may have been implanted in Heartland’s system, which processes 100 million transactions per month for 175,000 restaurants and smaller merchants across the nation, as early as May 2008. He told me Heartland’s IT staff spent from late fall to mid-December or so trying to root out the malware, with no success. So they called in a forensic specialist, who then took about a month to ferret out clear evidence of the malware. A week later, on Jan. 20, Heartland went public about the breach.
Baldwin insists this was not an inside job; he says that the US Secret Service and Dept. of Justice tell him the caper is similar to recent hacks at other institutions. That, in an off itself, raises a lot of questions. What other institutions? Perhaps Star Processing, which handles card transactions for Forcht Bank of Kentucky? Forcht on Jan. 12 began replacing debit cards for 8,500 customers. Could these two separate breaches be part of a much larger global scam? How big is the combined pool of stolen records from recent hacks of these and other institutions?
One indicator of a larger criminal nexus at work comes from CardCops president Dan Clements, who keeps an eagle eye on the chat rooms where criminals test stolen card numbers on tools that run scripts merchants use to authorize card use. “We have seen an increase of at least 20% over the last six months in online chat room activity where hackers are testing out stolen credit and debit cards to make sure that they are active,” says Clements. Large batches of numbers are being tested. Clements believes that the numbers “could have come from a processor like Heartland or some other source that has access to a lot of customer data but is not a retailer.”
Back to Heartland. How did the data thieves crack in?
Matt Pauker co-founder of Voltage Security suggests it was most likely via a Heartland server connected to the Internet. Perhaps the bad guys obtained stolen administrator login credentials, as per the attack on Monster.com that netted 1.3 million records. Or maybe they executed a successful SQL injection attack. This recent report by IBM ISS notes that SQL injection vulnerabilities and public attacks on them are on the rise.
“Once the system was compromised, the hackers likely hopped from machine to machine until they reached the credit card processing system,” Pauker surmises. “There, they were able to install software that enabled them to ‘listen in’ to transactions as they were passing through.”
Rob Rachwald, Fortify’s director of product marketing, envisions a similar scenario: “Our best guess is that the software was either installed by a sleeper, a rogue employee working inside the firm who passed the usual vetting procedures, or a direct systems attack followed by the insertion of a custom application on Heartland’s IT resources,” he says.
So will federal authorities some day divulge the actual modus operandi so lessons can be duly learned by one and all? “I somehow think this will not happen,” says Rachwald.
Adds Pauker: “This attack vector is similar to what was used in the attack on TJX, where attackers first compromised a wireless network in a store, then used that opening to work their way into the corporate systems.”
Maybe. No one outside of law enforcement knows the definitive cause of the TJX hack. I’ve heard of a scenario where the bad guys hacked in via a job applicant’s PC kiosk at the back of a TJ Maxx. We really have no definitive lessons learned from TJX, save for how much TJX had to set aside in reserves to clean up the aftermath-$197 million-and, much later, that PCI compliance might not have made any difference. TJX was famously not in compliance with PCI data handling security standards.
The fact that Heartlands’ system were certified as being fully in compliance with PCI standards underscores questions about the efficacy of the PCI rules. Afterall, Hannaford Brothers grocery chain, likewise, met PCI rules, but had 300 store hacked for 4.3 million records.
“As the Heartland breach illustrates, you can be PCI compliant and still be breached,” said Phil Neray, VP/Security Strategy at Guardium, a database security vendor. “Good compliance does not mean good security.”
Mark Bower, Director of Information Protection Solutions at Voltage, points out that most PCI compliant payment processors have sections of their network where data is not encrypted, moving “in the clear” so as to communicate with upstream partners, like Visa and Mastercard.
“These gaps create excellent attack points for hackers, as data is fully exposed,” says Bower. “The only solution to eliminate this threat is end-to-end encryption.”
Perhaps. But again, the big missing ingredient is public awareness. Without a higher degree of transparency of major breaches, and open discussion and collaboration among the good guys, movement toward a safer Internet will continue to be constrained.
–Byron Acohido
Photo: Robert Carr, chairman, and CEO, Heartland Payment Systems rings the Opening Bell on August 12, 2005 at the New York Stock Exchange. (NYSE)
January 22nd, 2009 at 10:53 am
It’s funny how Heartland revealed their data breach on inauguration day, and RBS WorldPay admitted its incident that has affected 1.5 million people on 23 December.
Maybe we should work out other “big dates” and “holidays” coming up in advance, and run a sweepstake on which companies may be trying to slip out their bad news then?
January 22nd, 2009 at 11:52 am
Anyone in security or involved with PCI DSS knows that compliance does not indicate that a breech will not occur. Compliance is expensive and the dirty little secret is that many companies will try to get compliant as quickly and inexpensively as possible. I’m not convinced that PCI DSS compliance is not a safety for a breech. Some questions that lead us don other paths are: Who certified the breeched companies as compliant? Is there a pattern with the certifying company? What type and level was the breeched company? A pattern may develop there as PCI DSS requirements vary on the type and level. When the breeched companies answered the PCI DSS questionnaires, what answers did they provide? It is unlikely anyone will gain access to the questionnaires, but it would be interesting to have an independent 3rd party go through the questionnaires to confirm and find patterns.
January 22nd, 2009 at 2:14 pm
The Heartland breach is but another confirmation that the level of hacker sophistication continues to evolve and that we must never underestimate their ingenuity or capacity for stealth. Unfortunately, I anticipate that this type of criminal activity will become even more prevalent during this period of economic turmoil. Therefore, it is imperative that business, the Obama Administration and the new Congress keep privacy, security and identity theft issues on the front burner.
Just as many public companies time the release of negative earnings reports to coincide with the end of the trading day on Friday, I am not surprised that disclosure of this particular breach was made on Inauguration Day – certainly one of the most heavily anticipated political events of our generation.
This breach is yet another reminder of why consumers must spend a few minutes every day reviewing online the activity in their bank and credit card accounts and feeling completely comfortable that every transaction they see is correct.
All the best,
Adam K. Levin
Chairman and Co-Founder
Identity Theft 911
January 22nd, 2009 at 3:03 pm
You wrote “Heartland insists that announcing the breach on Inauguration Day was pure coincidence. Let’s grant them that.”
Are you kidding???
There are no coincidences when a CEO like Bob Carr from Heartland Payment Systems issues a press release like this.
Bob has though about every angle (ten times over) to try and minimize the damages to his company.
Issuing a press release on Barack Obama’s inauguration day was both sneaky as it was brilliant.
Here is a good video regarding this angle:
http://www.youtube.com/watch?v=fMYdxCvM3do&feature=channel_page
Best regards,
Keith
http://www.insideIDtheft.info
January 22nd, 2009 at 4:19 pm
I don’t think it matters how many identities were compromised. I can safely say it’s greater than 1 million and probably less than a billion. Worrying about Heartland (and TJX for that matter) divulging that information is more about headline fodder for reporters than dealing with the root cause of the problem.
This is the 2nd “PCI compliant” firm suffering a massive data breach. PCI will face a crisis of confidence unless the standards council figures out how to make the requirements more relevant to today’s new attack vectors.
I wrote a piece on the eIQ blog about the breach and one potential approach to defend against these kinds of attacks. http://blog.eiqnetworks.com/2009/01/22/heartland-proves-that-log-data-is-not-enough/
As another commenter made the point, you can’t stop these attacks. But you can find out about them much faster and contain the damage.
January 27th, 2009 at 2:21 am
I don’t know what you mean by “lack of transparency” since it would not seem wise to release full details of the breach when there is an ongoing criminal investigation into how the breach occurred, who the perpetrators are, and if others have been affected.
If you go to the Heartland website documenting the breach, it seems like there is a fair amount of disclosure. Whether 3000 card numbers or 300 million card numbers were stolen may be impossible at this time to know. It isn’t reasonable to assume that full transparency is expected after this type of incident.
Heartland has made a public effort to inform its merchants of the breach and made it easy for people to ask questions about the breach easily. You don’t need to go hunting for that one corner of the site to get contact information.
“If you have further questions or concerns, please call our toll-free number at 1.866.399.6228 or email us at 2008breach@e-hps.com. ”
A lack of complete details may indicate a need to protect against liability, and any reasonable company will not disclose information that would expose it to severe liabilities. It would be unreasonable to expect otherwise. No sane person will shoot himself in the face.
January 27th, 2009 at 11:33 am
“Good compliance does not mean good security.”
This is an excellent point and highlights the fact that an organization should not trust it’s lifeblood and liability on any set of standardized rules. PCI compliance is a great way to begin, but I don’t believe it should be treated as the end-all of security.
End-to-end encryption is a good safety net for when data is lost. Not only does it make extracting usable data significantly more challenging, it helps mask it so that the hacker doesn’t always know what they’re getting to begin with. They’re less likely to expend as much effort and subject themselves to as much risk if they don’t know whether they’re getting credit card numbers or a simple laundry list of routine server updates.
Best Regards,
Travis Tidball
Director of Customer Relations
DigiCert, Inc.
http://www.digicert.com
January 27th, 2009 at 3:20 pm
A certification of PCI DSS compliance does not necessarily mean true compliance with PCI DSS. With most level 1 processor’s the PCI DSS audit occurs only once annually and durring the actual audit, only a sampling of systems are tested. My guess is that when and if the details of a true forensic investigation performed by an object investigator are disclosed to the public, we will learn that Heartland was violating one or more of the requirements laid for in the PCI DSS and if they had fully adhered to the PCI DSS and continued to adhere to it, the breach would have been prevent or identified right away and controlled.
The heart of the Payment Card Industry’s Data Security Standard is a great set of guidelines for true data security, but the burden of truly following the spec is often insurmountable for any organization that has not built their payments infrasturcture around it from the ground up - meaning any organization that trys to take a legacy system and make it truly compliant is fighting an uphill battle.