Daily Alert

25 January 2009

2009 Data Breach Season Begins Strong

2009 is not even a full month old and already we have learned of two significant data breaches. Both breaches 5 Million Checkfree Consumers Warned involve account information, not personal identifying information (PII). Both, however could leave actual bank accounts of millions of consumers vulnerable to unauthorized access. The latter breach, if it proves to be as big as the initial indicators reveal, may result in the selling or closing of the business. Too extreme? The Heartland breach is being compared in scope to TJX (TJ Max) who was unable to handle the attorney general investigation, publicity and fines changed hands or even a better example,CardSystems Solutions which ended up sold and doing business as a different entity after the FTC had its way.

At some level, there is always a negligence story buried in these breaches. While even the most secure company could fall victim to a breach due to intentional attack, the least secure companies will almost certainly become breach victims and some many times. Breaches can be the result of company data retention policies, keeping more PII or account information than needed for far too long, providing more access than needed to that data to too many employees, or basically not doing enough to block electronic access to their data or not encrypting data transmissions. Having said all that, a data breach does not need to put at risk thousands of consumers at one time to be a data breach. One employee with access to consumer information as part of normal job duties carefully targeting a few of those consumer records and selling them to some one on the outside infrequently also amounts to a breach of data.

Given the fact that Heartland was unaware their responsibility as a trusted data custodian had been compromised until notified by Visa and MasterCard leads an unbiased observer to believe that Heartland's security was indeed lacking. The company is now claiming that malware infected their database, a conclusion that Heartland's own IS department should have discovered without having to be told by a third party. All this points to rogue/insider cooperation or even an insider planning the entire attack. That a global crime organization had access to Heartland's data does not mean that the same organization stole the data. PII or in this case credit and debit card numbers are easy to transmit back and forth (there would not be a credit industry otherwise) and can change hands many times before ending up in the hands of an end user perpetrator.

The scenario of greatest concern is whether or not debit card numbers along with PINs were compromised. The PIN system was once thought of as the solution to electronic credit and ATM fraud. That idea has gone by the wayside. From intentional malware type hacks like at Heartland or intercepted, non-encrypted transmissions (or weak encryption) debit and PIN while still a little safer for the credit issuers than standard credit card transactions is not the saviour it was once thought to be. From the consumer's perspective, the dispute of un-authorized credit transactions is pretty simple. Disputes where money comes directly from your checking account, money which may well have been set aside for rent, car payment, or mortgage payments, is another matter. And while disputes involving Heartland will probably be fairly easy, a consumer may still find themselves out the funds for a short period of time, (up to 10 days in some cases). Don't be surprised if Heartland is forced to sell due to fines and credit issuers billing them for each account that had to be closed and re-opened, a cost which the unsteady banking industry will do everything possible to pass along to someone.



Heartland: How This Disaster Exploded - Bank Info Security
January 22 - Tom Field
Let's talk about how a big disaster becomes an even bigger one.
On Tues., Jan. 20 - Inauguration Day - Heartland Payment Systems (HPY) President/CFO Robert Baldwin announced the company had been breached sometime in 2008. Heartland, which processes roughly 100 million transactions per month for 250,000 different businesses, says it discovered malware attached to its processing platform, and an undetermined number of consumers had their names and card numbers exposed to hackers. The breach has subsequently been contained, Baldwin says, and he believes the incident to be part of a broader cyber fraud operation.

Heartland did what we wish all such companies would do. They stood up and said "We've been breached."

Mind you, no enterprising journalist uncovered and exposed this breach, nor was it revealed by any external investigators or law enforcement agencies. It became news when Baldwin made it news, announcing the breach and a website, www.2008breach.com, set up for consumers who fear they may have been victimized. Rather than try to sweep the incident under the rug or hope not to be exposed, Heartland did what we wish all such companies would do. They stood up and said "We've been breached."
But, boy, talk about "No good deed will go unpunished..."

Within hours of the Heartland news going public, our office was besieged by queries from eager PR reps whose clients wanted to jump on this story as a platform to discuss security strategies and solutions.

And you could see right away that many of these correspondents hadn't quite read the story's fine print. Because suddenly a breach of undetermined magnitude had become:

"... a data breach that could be potentially larger than TJX."

"...tens of millions of credit and debit transactions may have been compromised..."

"...a data breach of 100 million credit cards."

"...the biggest breach ever reported."

By late Weds afternoon, I was contacted by KPCC, Southern California Public Radio, whose talk show host Patt Morrison wanted to include me in a panel discussion of the Heartland breach. The storyline here:

"Credit card processor Heartland Payment Systems suffered a huge security breach in 2008, allowing hackers to steal credit card information on more than 100 million accounts. What damage has been done and how worried should consumers be?"

By Weds night, CNBC's On the Money hosted a short exchange on Heartland, punctuated by a bunch of airbags talking over one another and attributing this breach "to a bunch of kids in an Internet café in Amsterdam."

It's like an Internet-age game of telephone. Person A says one thing to person B, and by the time it gets down the line to person Z, the story is unrecognizable.

So, the question for Heartland today is: "What damage has been done and how worried should Heartland be?"

I don't even know how to begin to answer that. Until Tuesday, it's safe to say that the average citizen didn't even know who or what Heartland was. Now, having been publicized everywhere from The New York Times and USA Today to NPR and CNBC, the company is suddenly the poster child for what the public is going to perceive as "the biggest breach ever reported."

But while Heartland struggles with its breach and the popular media struggle with getting the story straight, there are serious issues here for all of us to deal with:

Yes, Virginia, there are global fraud schemes - It's foolish for anyone who calls himself an expert to attribute a sophisticated data breach to "a bunch of kids in an Internet café in Amsterdam." We're so past that stereotype now, and it's time to acknowledge that the biggest external threats are organized, professional, expert criminals who are focused 110% on finding new ways to crack secure systems. That said...

Locking the outside door is only half the job - Think about it: Two of the biggest breaches of 2008 - Bank of New York Mellon and Countrywide Financial - were the result of data loss and a rogue insider. These are two of the biggest threats any of us face today. How much critical data walks out of your institution daily in a laptop, PDA or portable media (thumb drives, etc), and what happens if those devices get left on a train? How many critical employees have walked out of your company's employ recently - their choice or yours - and what sensitive information might have walked out with them? How will your trusted employees behave if they fear losing their jobs or their homes? Remember, bad times don't build character; they reveal it. We're going to see a lot of scary revelations in 2009.

Heartland is just the beginning - Right now, Heartland's greater issue isn't that it's "the biggest breach ever reported," but rather that it's the first one of 2009, and it fell on a day when the only other news was the Inauguration. It became the big story by default. Safe to say, though, we'll see many similar headlines as the year unfolds. Times are tough, the threats are real, and before this year gets much older we'll all be hearing about new hacks, lost data, malicious or inattentive insiders and The Next Big Story.
It's funny. On Tuesday morning, I'm sure Heartland President Robert Baldwin felt he'd done the right thing by standing up and saying "We've been breached." I wonder how he feels about that decision today?


different opinion:
Report Credit:Heartland Payment Systems - Breach Blog

Response:
From the online sources cited above:

NOTE: This breach is very significant and potentially affects millions of credit and debot card holders from multiple credit and debit card companys, regardless of bank or card issuer. In this section, we will first explore the press release before moving on to additional facts found discovered by others.

HEARTLAND PAYMENT SYSTEMS PRESS RELEASE:
[Evan] I have to say that this is one of the worst press releases I have ever read announcing a breach. I'll comment below.

Princeton, NJ — January 20, 2009 — Payments processor Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. Heartland believes the intrusion is contained.
[Evan] The very first sentence in the press release states that Heartland is the victim. In my opinion, it is rarely a good idea to announce yourself as a victim when you are the custodian of confidential information. The owners are truly the victims.

"We found evidence of an intrusion last week and immediately notified federal law enforcement officials as well as the card brands," said Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer.
[Evan] Heartland was actually alerted by Visa and MasterCard.

"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach.
[Evan] So what? I want to know what information WAS involved.

Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.
[Evan] Again, I don't care about what Heartland systems were safe. I want to know what information wasn't safe. There is no mention of the specific data that was actually compromised anywhere in the press release.

After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter.

Last week, the investigation uncovered malicious software that compromised data that crossed Heartland's network.

Heartland immediately took a number of steps to further secure its systems.

In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.
[Evan] This sounds like network intrusion detection/prevention, which has been around for quite some time. Network intrusion detection/prevention employing anomaly detection is used by many organizations processing much less sensitive information.

Heartland has created a website — www.2008breach.com — to provide information about this incident and advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers.
[Evan] This web site is nothing more than the press release and Q&A with regurgitated press release information.

Cardholders are not responsible for unauthorized fraudulent charges made by third parties.
[Evan] Not directly anyway. The money comes from somewhere (banks) and the costs will be passed on.

"Heartland apologizes for any inconvenience this situation has caused," continued Baldwin.

"Heartland is deeply committed to maintaining the security of cardholder data, and we will continue doing everything reasonably possible to achieve this objective."

FROM OTHER SOURCES:

A data breach last year at Princeton, N.J., payment processor Heartland Payment Systems may have compromised tens of millions credit and debit card transactions

If accurate, such figures may make the Heartland incident one of the largest data breaches ever reported.

The data breach could turn out to rival the massive breach reported by TJX in 2007, which affected as many as 94 million credit card accounts.

Robert Baldwin, Heartland's president and chief financial officer, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments.
[Evan] According to this statement, it appears as though fraud has already occurred. This is important information to keep in mind as you read more below.

Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country.

He declined to name any well-known establishments or retail clients that may have been affected by the breach.

Baldwin said it would be unfair to mention any one of his company's customers.

"No merchant of ours represents even [one-tenth of one percent] of our volume, and to put out any name associated with what is obviously an unfortunate incident is not fair," he said.
[Evan] This is an indication of how widespread this could get.

"Their customers might end up having their cards used fraudulently, but that fraud might turn out to have come from their store, or it might be from another Heartland store and no one will ever really know."
[Evan] Exactly, and this makes this a very scary breach.

Baldwin said it wasn't until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.

Baldwin said that the breach was the result of keylogging malware, which covertly captures anything typed on an infected computer, such as user names and passwords.
[Evan] How could a computer connected to a network that carries extremely sensitive information become infected with malware? There are many ways in which malware can find it's way into an organization, but on a network like this?

"There were two elements to it, one of which was a keylogger that got through our firewall," he said. "Then subsequently it was able to propagate a sniffer onto some of the machines in our network. And those are what was actually grabbing the transactions as they floated over our network."

Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised.

The stolen data includes names, credit and debit card numbers and expiration dates.
[Evan] Finally, we get an indication of what data was compromised.

"The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we don't know the magnitude of what was grabbed."

The company stressed that no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were jeopardized as a result of the breach.

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards.

Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said.
[Evan] This maybe true in some card-not-present transactions, but means nothing for data written to physical cards. People can make credit cards out of any card with a magnetic strip; gift cards that you can pick up at the Target checkout, blank cards bought online, etc. For people who want to go the card-not-present route, it may not be difficult to find an address if given a name. Mr. Baldwin's statement here means little.

As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants "is not impossible, but much less likely."
[Evan] Again maybe this holds true for ONLINE merchants, but means nothing for PHYSICAL merchants.

In many cases where a processor experiences a breach, the affected banks may simply re-issue new cards to some customers.
[Evan] Which costs the bank $10-12 per card by some estimates. The bank pays for the fraudulent charges by not holding legitimate cardholders responsible AND/OR reissues cards at 10-12 bucks per card. The costs add up quick and will likely be passed on to all customers. We all end up paying eventually.

It is unclear whether consumers who receive new account numbers from their bank will ever be able to definitively tie the re-issuance to the Heartland breach.

Baldwin said it was not appropriate for Heartland to offer affected consumers credit protection or other identity theft protection services.

"Identity theft protection is appropriate when there is enough personal information lost that identity theft is possible," he said.
[Evan] Not identity theft, just credit/debit card fraud.

"At the same time, we recognize and feel badly about the inconvenience this is going to cause consumers."

Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing of Heartland's disclosure -- a day in which many Americans and news outlets are glued to coverage of Barack Obama's inauguration as the nation's 44th president.

"This looks like the biggest breach ever disclosed, and they're doing it on inauguration day?" Litan said. "I can't believe they waited until today to disclose. That seems very deceptive."
[Evan] After reading the horrible press release and supporting information, I tend to agree with Avivah Litan.

Baldwin said Heartland worked to disclose the breach last week.

"Due to legal reviews, discussions with some of the players involved, we couldn't get it together and signed off on until today," Baldwin said.

"We considered holding back another day, but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility."
[Evan] Transparency? Please.

"There are a host of things we didn't go into that we're implementing, some larger, some smaller, all of which are designed to say, 'Okay, we had a commitment to high security. We were PCI compliant -- that was certified in April of last year. Yet we had this problem. Clearly we need to do more.' So our IT team is implementing as many additional precautions as it can as quickly as possible."
[Evan] Wait?! PCI compliance doesn't equal "high security"? The answer is NO. It's a start.

If this data breach represents heartache for Heartland, security vendors see it as an opportunity to play doctor.

"As the Heartland breach illustrates, you can be PCI compliant and still be breached," said Phil Neray, VP of security strategy at database security company Guardium, in an e-mailed statement. "Good compliance does not mean good security."
[Evan] Exactly.

Commentary:
There is still too much information missing. Personally, I am very displeased with Heartland's response and spin. It's disappointing. Effective communication is a critical piece of a good incident response plan. Poor communication can be more destructive to a company than the breach itself.

There are many missing facts. If fraud has already taken place AND it can be tied to this breach, then I think we have a very big problem on our hands. If not, we still know that the potential is there. Who would think that a little piece of code (the malware) could cause so much trouble? What can you learn from this and put into practice in your organization?

I am always interested in your thoughts…

more:
Heartland Payment Systems' Big Breach & Lame PR Tactic - The Information Week - George Hulme

Stumble Upon Toolbar

No comments:

Sderot QassamCount - via Daled Amos

Nice Jerusalem Video from Yeshiva Beit Orot

The Path To The Final Solution

 
Who links to my website?