Data Theft Hits the Heartland
- By Jabulani Leffall
- January 21, 2009
A malicious keystroke logging exploit hit Heartland Payment Systems
in what many are already calling the biggest data theft ever, with nearly 100 million records siphoned from the large payment-processing company.
The attack raises doubts about Payment Card Industry (PCI) compliance standards, and whether or not customers are actually protected by vendors that meet the PCI security benchmarks.
Heartland officials first found evidence of the incursion last week. They notified federal law enforcement officials and credit card companies, according to Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer, in a statement issued on Tuesday.
"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," Baldwin said in a press release.
The alleged method of hacking here was a keystroke logger bug, which nests in a systems and tracks what was typed. Similar malicious technology exists that captures mouse clicks.
The data stolen from Heartland includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.
Heartland handles more than four billion transactions each year, according to its Web site. Small to mid-sized restaurants account for 40 percent of its transaction processing.
"The solutions to these threats as you can imagine are multifold and require not just products, but also revised processes, policies and employee education," said Tom Ruffolo, president of Securitytogo LLC. "Also, it is important to know that virtually all the enterprise security solutions that address these threats are available to small and medium companies too."
Compliance Doesn't Equal Security
Efforts by the Payment Card Industry Council to set security rules typically get renewed focus after security breaches, such as this one. However, in the case of Heartland, it's déjà vu all over again. Heartland was validated as being in compliance with the Payment Card Industry Data Security Standard (PCI DSS) as recently as April of last year.
As of Tuesday, credit card company Visa has Heartland's current status "under review." The firm's PCI assessor, Trustwave, could not be reached for comment.
It's clear now that, as in the case of Heartland and others, compliance standards do not guarantee safety. Moreover, the standards are murky and daunting, given their storage and transaction-routing requirements.
"The big question is, 'What the heck do you protect?'," said Kris Lovejoy, IBM's director of corporate governance, risk compliance and security strategies, who discussed the role of security standards last year.
More Data Theft To Come?
We've recently seen high-level incidents of data theft, such as those that occurred at TJX, Hannaford Bros., Countrywide and Citibank. Heartland's troubles follow increased awareness at many enterprises of the importance of data loss prevention programs.
The Identity Theft Resource Center released a report (PDF) two weeks ago highlighting the issue. The report found that data breaches were up 47 percent in 2008 compared with 2007 results, when there were 447 reported cases.
The Heartland case is the second of its kind in as many months. On December 23 of last year, RBS Worldpay, a unit of Citizens Financial Group Inc., reported that a payment system breach may have affected 1.5 million records.
To give some perspective on the 100 million records stolen in just one breach at Heartland, the Privacy Rights Clearinghouse reported that there have been at least 246 million records stolen since 2005. Moreover, the late 2007 data theft from clothing retailer TJX Cos. resulted in the loss of more than 90 million records card numbers and 46 million personal records.
Using identity-based encryption and format-preserving encryption can eliminate threats such as these, according to Mark Bower, director of information protection solutions for security vendor Voltage.
"Given the scale and depth of the compromise this is a very significant breach indeed," he said of the Heartland incident. "The fact that hackers were able to infiltrate Heartland Payment Systems is an example of how the trust between financial services companies and the consumers [who expect their data to be safeguarded] can be broken. Breaches like this can be stopped. The problem is, very few know how."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.