Alerted by Visa and MasterCard in October 2008 of fraudulent activity surrounding credit card transactions it had processed, Heartland Payments Systems, the fifth-largest payments processor in the US, has uncovered what has the makings of the biggest data theft in history.
Indicating a sophisticated attack, two forensic audit teams called in by Heartland to conduct an investigation only discovered the existence of malicious software that had compromised its systems in the second week of January.
Heartland made news of the data breach public on 20 January in a statement in which it stressed that it does not know how many card numbers were stolen. However, the potential number is substantial given that Heartland serves about 250,000 merchants and processes some 100 million card transactions monthly.
Biggest breach yet?
Indeed it is widely speculated that the data breach could be the biggest yet, exceeding the so-called TJX breach in 2007 in which data relating to an estimated 45 million cards was stolen from TJX and eight other retailers.
UK-based application vulnerability security specialist Fortify Software believes the data breach was probably the result of sophisticated software installed on Heartland’s computer systems.
“Our best guess is that the software was either installed by a sleeper, a rogue employee working inside the firm who passed the usual vetting procedures, or a direct systems attack followed by the insertion of a custom application on the processor’s IT resources,” said Fortify director of product marketing Rob Rachwald.
Assuming – as seems likely – ‘rogue software’ was inserted into Heartland’s payment processing computers, Rachwald continued, the question the US Secret Service, which is working on the case, will ask is: “What happened to the security systems the card processor employs?”
This is also the question Chimicles & Tikellis, a Delaware-based law firm is asking in a data breach class action it has filed against Heartland in a US District Court in New Jersey.
Pointing to the fact that Visa and MasterCard had brought the data breach to Heartland’s attention, the law firm states in its lawsuit: “Analysts have stated that the fact that Heartland did not detect the breach on its own suggests that it had not implemented [or was not using] all of the security controls called for by the Payment Card Industry Data Security Standard [PCI DSS], a set of security controls mandated by the major credit card companies.”
Undoubtedly, beefing-up security is uppermost on the minds of Heartland executives. The approach being taken is end-to-end encryption of data, which the company believes will represent an improvement on the current PCI DSS standard.
Heartland was already working towards implementing end-to-end encryption at the time of the data breach, while its chairman and CEO Robert Carr has been advocating the adoption of end-to-end encryption by the payment processing industry for a considerable time.
“PCI [DSS] is a good and effective standard, but the bad guys have become more sophisticated to the point where encryption of data in motion appears to be one of the next required steps,” Carr said in a statement.
While Carr conceded that there still was no single “silver bullet” that will totally secure payment systems, he stressed that end-to-end encryption should provide Heartland with the ability to implement increasing levels of security protection as they become needed.
A determined Heartland has taken steps to hasten the implementation of end-to-end encryption with the formation of a dedicated department headed by Steven Elefant, who brings with him considerable experience in the electronic POS market.
In addition, Elefant is a member of the Secret Service’s electronic crimes task force and Infragard, a public-private partnership of the Federal Bureau of Investigation dedicated to combating cyber-crime.
Elefant’s task, explained Carr, Elefant’s task, explained Carr, will be to get encrypted data from the point of swipe/entry at the merchant to Heartland’s switch, while the internal network encryption infrastructure will be handled by new and existing IT staff under his direction.
Heartland’s objective of implementing end-to-end encryption represents a significant step for the payments processing industry, said Elefant.