Alerted by Visa and MasterCard in October
2008 of fraudulent activity surrounding credit card transactions it
had processed, Heartland Payments Systems, the fifth-largest
payments processor in the US, has uncovered what has the makings of
the biggest data theft in history.
Indicating a sophisticated attack, two
forensic audit teams called in by Heartland to conduct an
investigation only discovered the existence of malicious software
that had compromised its systems in the second week of January.
Heartland made news of the data breach public
on 20 January in a statement in which it stressed that it does not
know how many card numbers were stolen. However, the potential
number is substantial given that Heartland serves about 250,000
merchants and processes some 100 million card transactions
Biggest breach yet?
Indeed it is widely speculated that the data
breach could be the biggest yet, exceeding the so-called TJX breach
in 2007 in which data relating to an estimated 45 million cards was
stolen from TJX and eight other retailers.
UK-based application vulnerability security
specialist Fortify Software believes the data breach was probably
the result of sophisticated software installed on Heartland’s
“Our best guess is that the software was
either installed by a sleeper, a rogue employee working inside the
firm who passed the usual vetting procedures, or a direct systems
attack followed by the insertion of a custom application on the
processor’s IT resources,” said Fortify director of product
marketing Rob Rachwald.
Assuming – as seems likely – ‘rogue software’
was inserted into Heartland’s payment processing computers,
Rachwald continued, the question the US Secret Service, which is
working on the case, will ask is: “What happened to the security
systems the card processor employs?”
This is also the question Chimicles &
Tikellis, a Delaware-based law firm is asking in a data breach
class action it has filed against Heartland in a US District Court
in New Jersey.
Pointing to the fact that Visa and MasterCard
had brought the data breach to Heartland’s attention, the law firm
states in its lawsuit: “Analysts have stated that the fact that
Heartland did not detect the breach on its own suggests that it had
not implemented [or was not using] all of the security controls
called for by the Payment Card Industry Data Security Standard [PCI
DSS], a set of security controls mandated by the major credit card
Undoubtedly, beefing-up security is uppermost
on the minds of Heartland executives. The approach being taken is
end-to-end encryption of data, which the company believes will
represent an improvement on the current PCI DSS standard.
Heartland was already working towards
implementing end-to-end encryption at the time of the data breach,
while its chairman and CEO Robert Carr has been advocating the
adoption of end-to-end encryption by the payment processing
industry for a considerable time.
“PCI [DSS] is a good and effective standard,
but the bad guys have become more sophisticated to the point where
encryption of data in motion appears to be one of the next required
steps,” Carr said in a statement.
While Carr conceded that there still was no
single “silver bullet” that will totally secure payment systems, he
stressed that end-to-end encryption should provide Heartland with
the ability to implement increasing levels of security protection
as they become needed.
A determined Heartland has taken steps to
hasten the implementation of end-to-end encryption with the
formation of a dedicated department headed by Steven Elefant, who
brings with him considerable experience in the electronic POS
In addition, Elefant is a member of the Secret
Service’s electronic crimes task force and Infragard, a
public-private partnership of the Federal Bureau of Investigation
dedicated to combating cyber-crime.
Elefant’s task, explained Carr, Elefant’s
task, explained Carr, will be to get encrypted data from the point
of swipe/entry at the merchant to Heartland’s switch, while the
internal network encryption infrastructure will be handled by new
and existing IT staff under his direction.
Heartland’s objective of implementing
end-to-end encryption represents a significant step for the
payments processing industry, said Elefant.