Wednesday, January 21, 2009
Since learning of the attack, Heartland reported it has aggressively worked to ascertain the extent of the breach and its impact, as well as ensure the integrity of cardholder data.
Visa and MasterCard received reports of fraudulent card use by their issuing banks last November and subsequently notified Heartland. The two card brands then triangulated the path of the hackers' attack [tracing transactions back through cardholders, issuing banks and processors] and reportedly found sufficient evidence of a potential problem in Heartland's system.
Heartland hired two additional outside forensic auditors to assist its internal team immediately after it was informed by the card brands the company could be ground zero for the breach.
"We have isolated the issue, and our internal forensic team and the [outside] forensic auditors consider it contained," said Robert Baldwin, President and Chief Financial Officer of Heartland. "This is something that we have been working aggressively and diligently on, and we continue to undertake a number of improvements in our data security.
"However, as we move forward, we believe the problems have been eliminated. And there is no suggestion or hint that any merchant will suffer any damage whatsoever."
Heartland's processing platforms contain over 600 million cardholder records, but security experts suggest data from significantly fewer accounts had been accessed or extracted. Heartland stated it does not know the number of cardholder accounts compromised. Baldwin added that it has been a challenge to discover precisely how it happened.
"After putting the pieces together, we discovered quite a sophisticated attack on our processing platform," Baldwin said. "Since then we have been working on gathering as many facts as we can, with a focus on getting something out as quickly as we could. We notified our merchants and the organizations that process with us as soon as it was humanly possible."
After the breach was confirmed, Heartland immediately began containment measures, implementing additional security and risk management tools, as well as notifying merchants of the situation via a company press release on Jan. 20, 2009.
"We're dealing with a cleanup, of course, and it's a challenge, certainly, because our standards are already tight," Baldwin said. "We were certified PCI [Payment Card Industry] compliant last April. However, clearly the measures we had in place were inadequate to stop the attack. So, we will take an even deeper focus – along with a new sense of urgency – on achieving that much more security in our system."
Heartland is also allowing unrestricted access to its forensic audits by any payment organization requesting them. "Heartland is willing to share file structures as well as all the information they have to help those people that have Windows-based applications with anti-virus software to determine whether or not they've been compromised," said Paul Martaus, President of consulting firm Martaus & Associates.
According to Dr. Tim Cranny, Chief Executive Officer of security compliance specialists Panoptic Security Inc., there is no comprehensive cure-all against data breaches. "The first thing is that PCI does not make one bulletproof," Cranny said. "It puts you in the top category as far as the diligence and care that you're taking with security.
"There is real benefit in PCI, but remember that the mom-and-pops of the world have one percent of the expertise and resources that a Heartland does. It really comes down to taking a risk management approach, to look at all the things that can go wrong and try to deal with them. There's simply no pill you can take to make it all go away."
Baldwin said Heartland executives have been in discussion with the U.S. Department of Justice and the U.S. Secret Service and were informed that this breach was committed by an international organization that has also targeted other U.S. processors and financial institutions.
"I am finding it hard to believe that we are not responding to an obvious act of cyber terrorism aimed at trying to disrupt the payment system of the United States, and it just blows me away that nobody sees it," Martaus said. "All of these intrusions are the work of one Russian mafia gang. And 15 other processors apparently have been attacked and no one knows about it."
Martaus suggested, however, that federal officials do know about these attacks but they're not telling anybody. "This should be a national emergency, and the Pentagon, the National Security Agency, everybody should be involved in this," he said. "This could absolutely destabilize the payments industry and bring it to its knees. A cyber terrorist attack, while not meant to destabilize the government or the economy, can do just that."
To best combat future cardholder data compromises, Martaus and other industry experts propose building a coalition of processors to formulate how to best approach this issue, supplement the PCI Data Security Standard to increase protection standards and thwart future cyber attacks.
"This is serious, and the steps we take now – or the ones we don't take – will either save or destroy this industry," Martaus said. "Heartland is a victim in all this and we need to be proactive, not punitive, because it could cost us our livelihood. This is no joke."
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.