Payments processor discloses massive data breach

By Marcia Savage and Robert Westervelt, SearchSecurity.com Staff 21 Jan 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Payments processor Heartland Payment Systems Inc. said on Tuesday that its processing system was breached last year in what company officials said may be a global fraud operation.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

It was unclear how many credit cards were affected by the breach. Princeton, N.J.-based Heartland Payment Systems provides payment card processing, payroll and other payment services to more than 250,000 business locations nationwide. The company said it handles about 100 million credit card payments a month and more than 4 billion transactions per year, making it one of the top five processors of payment transactions in the United States.

Visa and MasterCard alerted the company to suspicious activity associated with card transactions, prompting Heartland to hire several forensic auditors to investigate. Last week, investigators uncovered malware that compromised data crossing the company's network.

Data security breaches: Hannaford breach illustrates need to have a survival plan: The Hannaford Bros. Co. supermarket chain is the latest company to suffer a data breach. It illustrates the need for companies to have a survival plan tucked away, experts say. Hannaford breach illustrates dangerous compliance mentality: The Hannaford supermarket breach illustrates how too much emphasis on compliance puts critical data at risk. TJX faces data audits for 20 years under FTC settlement: TJX Cos Inc. agreed to implement tighter security and obtain independent audits every other year for 20 years, according to a settlement reached with the Federal Trade Commission. TJX breach tied to Wi-Fi exploits: The TJX hackers started their assault two years ago by attacking security holes in the retail giant's wireless system outside a Minnesota Marshalls.

"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer said in a prepared statement. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."

The company said the breach did not affect merchant data or cardholder Social Security numbers, unencrypted personal identification, addresses or phone numbers. Heartland's check management systems and its Network Services and Chockstone processing platforms were also unaffected by the intrusion.

In the wake of the breach, Heartland said it boosted security of its systems and will install a program to quickly flag network anomalies.

"Heartland apologizes for any inconvenience this situation has caused," Baldwin said. "Heartland is deeply committed to maintaining the security of cardholder data."

Security industry analysts and experts said the breach could be larger than the massive TJX data security breach in which at least 45.7 million credit and debit cards were stolen over an 18-month period. It was the largest data security breach on record.

Gartner analyst, Avivah Litan questioned the timing of Heartland's disclosure and the amount of information that the payment processor released as part of its disclosure. The processor said it found evidence of a breach last week and made a public announcement Tuesday, when all eyes were on the Presidential Inauguration.

SearchSecurity radio:

"There's no reason for this speculation," Litan said. "They have the data and could tell the public how many records were affected, but they're not doing that."

Litan said the breach could be massive in scale, far surpassing the likes of Hannaford and TJX. It comes at a time when those in the credit card industry was starting to relax a little, believing merchants and processors had implemented some of the best security defenses, Litan said.

"This is clear evidence to me that the criminals know how to bypass the traditional security controls in place today," Litan said. "It's clear that they're targeting the processors now because there's much more data there. [Processors] are more centralized and the thinking is that more attention is paid to their security, but they are at the nerve center of processing systems."

Rich Mogull, an independent consultant and founder of security consultancy Securosis LLC said that the breach is evidence that attackers are finding their way into massive payment systems using stealthy malware to avoid detection systems.

"By our estimates is the most common vector of massive breaches," Mogull said in a Securosis blog posting. "TJX, Hannaford, and Cardsystems, three of the largest previous breaches, all involved installing malicious software on internal networks to sniff cardholder data and export it."

Tags: Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches Chip and PIN adoption serves lesson for U.S. payment industry Group to shed light on secure identity management threats Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Visa probes tokens, encryption for PCI card data protection University data breach exposes 163,000 women to identity theft TJX thrives following breach, bucks sour economy Security expert's PCI analysis misguided, says PCI Council GM External attacks start with unintentional mistakes, survey finds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary