Heartland data breach

Well, there has been another huge data breach. This time, it is Heartland Payment Systems, a provider of credit and debit card processing services. And the size of the breach is staggering: at least 100 million cards. This is more than double the TJMaxx breach which resulted in about 45 million cards being compromised.

The company revealed that unknown intruders broke into its computers and planted malicious software to steal credit card data. This happened sometime in 2008. Now the most worrying aspect of this is that Heartland did not find this out by themselves. The company discovered the intrusion only last week after being alerted by Visa and MasterCard of suspicious activity. Heartland claims that no merchant data, cardholders’ Social Security numbers, or unencrypted personal identification numbers (PIN), addresses or telephone numbers were compromised. But the intruders seem to have taken Track 2 data from the magnetic stripe on the cards. This data can be used to create counterfeit cards.

The biggest questions for Heartland are

  • Why did they not pick up the fact that malicious software was installed on their computers?
  • Why did they not know about this breach until Visa and MasterCard alerted them?
  • How long did the intruders have their software intercepting card data?
  • How are they going to help card holders deal with this?

There are a lot of things that they should have been doing:

  1. Regular scans of their computers to identify malware installed on their computers.
  2. Checking their communication lines to see if any data is sent without proper encryption.
  3. Looking for unauthorized devices within their network. One unauthorized wireless access point can cause a lot of damage to an organization.
  4. Regular tests of their firewalls to ensure that unauthorized access is not allowed to their network.

This list is just a bare minimum.

Heartland also says that it “will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals”. This is like shutting the barn door after the horses have bolted. The damage to their reputation and customer confidence has already been done.

A lot of people are now saying that PCI is not enough and that it is ineffective. I believe that the PCI requirements are fine. In my opinion, it is the verification process that needs to be strengthened. If companies follow the spirit of PCI rather than trying get away with doing the minimum to meet the PCI requirements, they will surely reduce the number and consequences of these types of incidents.