Heartland Bleeds Data, Potential Victims Could Number Millions

ecommercetimes.com (Jan 21 2009) Consumer , ID Theft Prevention

Categories:
Sectors: Consumer, Corporate, Government, Healthcare, Higher Ed
Primary Issues: Compliance, Data Breach, ID Theft Prevention, Medical Identity Theft
Incidents: Lastest Data Breaches, Reports

Quotes

  1. We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands. We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.
  2. This breach is extremely significant, and is perhaps the single largest theft of consumer data to date. Heartland has yet to confirm how long ago this penetration occurred, or how many records are at risk. What we do know is that they've stated records of 175,000 out of 250,000 of their retailers were potentially compromised. It is likely tens of millions of credit card and debit cards details have been stolen.
    By Michael Argast
  3. The second, much more likely in this type of loss, is a targeted attack -- the attackers likely used a multi-stage penetration that involved delivering malware via a vulnerability -- an exploit or social engineering attack, followed by the sniffer that Heartland found, which allowed the hackers to intercept the data in transit and then send it out of the network.
  4. Heartland Payment Systems are part of the industry's payment and data security standards. What this attack demonstrates is that security is only as strong as its weakest link. This begs the question, since HPS had complied with the security standard they were supposed to as a processor, whether those standards are enough.
    By Gretchen Hellman
  5. IT is only as good as the funding provided for it. Some of the rethinking needs to go into the way we approach security in this regulated world. Even though companies comply with these regulations, compliance apparently is not enough. The PCI is a list of items, but security needs are much more sophisticated than a list. It is a combination of people, processes and technology. In this regulated world, meeting the regulations is one thing, but it doesn't mean you're protected.
  6. I don't have the specifics, but I imagine the criminals used under-the-radar malware that was not detected by the controls Heartland had in place. Also, I am left to wonder how the crooks got the data out of their system -- a firewall policy should preclude such data transfers to unrecognized servers.
    By Avivah Litan
  7. There should be a minimum of an annual evaluation for most organizations. The depth of the evaluation and effort placed into it may depend on the value of their data, but the threat and threat vectors are changing so rapidly that yesterday's defenses can become quickly overwhelmed by today's malicious technology. Organizations like Heartland, which are very attractive targets for hackers, need to have security analysts that are aware of changes in the threat and are able to adjust their security policies rapidly.

Entities Mentioned


Authors


  1. Heartland Bleeds Data, Potential Victims Could Number Millions Massive credit card payment processor Heartland Payment Systems disclosed Tuesday that a security breach within its processing system some time in 2008 resulted in the potential exposure of millions of credit card and debit card numbers. No cardholder Social Security numbers, addresses or telephone numbers have been compromised, and the intrusion is believed to have been contained, according to the company. (Read Full Article)

    Bookmark or Share this article


    Related Articles

Login to comment.