Login  |  Register  |  Contact

Heartland Payment Systems Attempts To Hide Largest Data Breach In History Behind Inauguration

Brian Krebs of the Washington Post dropped me a line this morning on a new article he posted. Heartland Payment Systems, a credit card processor, announced today, January 20th, that up to 100 Million credit cards may have been disclosed in what is likely the largest data breach in history. From Brian's article:

Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country. He declined to name any well-known establishments or retail clients that may have been affected by the breach. Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn't until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients.

...

"The transactional data crossing our platform, in terms of magnitude... is about 100 million transactions a month," Baldwin said. "At this point, though, we don't know the magnitude of what was grabbed."

I want you to roll that number around on your tongue a little bit. 100 Million transactions per month. I suppose I'd try to hide behind one of the most historic events in the last 50 years if I were in their shoes.

"Due to legal reviews, discussions with some of the players involved, we couldn't get it together and signed off on until today," Baldwin said. "We considered holding back another day, but felt in the interests of transparency we wanted to get this information out to cardholders as soon as possible, recognizing of course that this is not an ideal day from the perspective of visibility."

In a short IM conversation Brian mentioned he called the Secret Service today for a comment, and was informed they were a little busy.

We'll talk more once we know more details, but this is becoming a more common vector for attack, and by our estimates is the most common vector of massive breaches. TJX, Hannaford, and Cardsystems, three of the largest previous breaches, all involved installing malicious software on internal networks to sniff cardholder data and export it.

This was also another case that was discovered by initially detecting fraud in the system that was traced back to the origin, rather than through their own internal security controls.

—Rich

Posted at Friday 30th January 2009 12:22 pm Filed under: cybercrimedata breachheartland payment systemsnon-geek

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Liquidmatrix Security Digest » Payment Proce  on  01/19  at  11:28 PM

[...] point! Rich Mogull touches on the aspect that it appears that Heartland naively attempted to hide the breach behind today’s inauguration.  Tag [...]

By Dave Hull  on  01/19  at  11:44 PM

Any word on whether or not they were PCI Compliant according to some QSA(tm)?

By LonerVamp  on  01/20  at  12:10 AM

Ghastly, just ghastly. And yet, for as much as we all could learn and improve from this incident and any mistakes that led to it, we’‘ll likely never hear the real stories.

By rmogull  on  01/20  at  12:13 AM

@Dave- I suspect they would HAVE to be compliant, since they are a level 1.

By Heartland Payment Systems Breach | Payment Systems  on  01/20  at  01:18 AM

[...] public via a Press Release as well as to create a website for more information. However, I do like others, question the timing the the [...]

By Marcin  on  01/20  at  01:43 AM

@Dave Hull

http://74.125.47.132/search?q=cache:CRQ9ty_Bo3oJ:www.jobfox.com/Web/Seeker/WorkSampleFileHandler.ashx

TrustWave?

By Chris Pepper  on  01/20  at  01:55 AM

You guys are falling down on the job. It must be the miasma of hope & optimism disarming your natural cynicism. "began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments." But he then says "In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible. At the same time, we recognize and feel badly about the inconvenience this is going to cause consumers."

So he’s clearly lying.

They announced today to take advantage of distraction. They’‘re not doing anything about fraud monitoring because it would be expensive and embarrassing. The bits about addresses and being safe are to cover their inadequate response and guilt.

By Network Security Podcast » Blog Archive &raq  on  01/20  at  04:47 AM

[...] Is this the largest data breach ever? And did they try and hide behind the inauguration? [...]

By Network Security Blog » Network Security Pod  on  01/20  at  04:49 AM

[...] Is this the largest data breach ever? And did they try and hide behind the inauguration? [...]

By Anonymous  on  01/20  at  05:47 AM

PCI compliance does not protect you against a targeted attack. It says you need to segment your transaction data from other networks. It says you need to control outbound rule sets. It does not specifically say how to do that or what is required during an audit.

By Anonymous69  on  01/20  at  02:34 PM

@Matt Harringan

AV ? "Anti-Malware" ? ROTFL!

you have no fscking idea do you?

htf would that make any difference?

By Tim B  on  01/20  at  02:54 PM

I’‘m not sure where you are getting "100 million credit cards" from.

The Wired blog report indicates that Heartland learned of a potential breach in late October 2008. They eventually discovered the malware last week, in mid January 2009. So their systems where compromised for at least three months. If they process 100 million transactions a month, then that’s a potential exposure of 300 million transactions. I suppose that assuming multiple card usage brings that down, but there’s no mention of a guesstimated level of repeat usage in any of the reports I’‘ve seen of this so far.

Incidentally, Heartland were certified PCI-compliant in April last year. Given the time scale of October to January, that suggest that at least one quarterly review missed finding the compromise in their systems.

By Anonymous  on  01/20  at  03:02 PM

@Anonymous69—
Thanks for the backup. Exactly. AV in its current incarnation is dead. The only way I have been able to correlate some of these 0-days is to look at behavior of outbound systems after a lot of whitelisting.

Anyone worth their salt will tell you that if your info is that valuable it isn’‘t hard to write a piece of malware JUST FOR YOU.

By Stuart Ward  on  01/20  at  06:39 PM

Sounds like an inside job to me.

By While nobody is looking… « Brian Ladd&  on  01/20  at  07:17 PM

[...] back to Heartland, and involved malicious software snooping their internal network. I’ve written some additional analysis on this and similar breaches. It’s interesting that the biggest breaches now involve attacks [...]

By merchantgrl  on  01/22  at  11:51 PM

The news finally made our front page newspaper in S. Florida today, however it was a rehash of the press release from Tuesday. 

It seems 2008breach.com site is being used more for PR than to actually help merchants and consumers understand the implications which I think should be in very plain language.
Did you see the new press release? "Heartland Payment Systems added more than 400 merchants to its client base in the past few days — exceeding results for the same period from last year." How many of those merchants were told about the breach before their paperwork was processed? It’s important to keep things positive so their business doesn’‘t crash, but the web site is really not being forthcoming.

I visited who was recently alerted by Bank of America within the last couple of weeks about unusual activity. High number of small transactions suddenly started appearing. Related? There’s no way to know. But Heartland is entrenched in our area and I’‘m not waiting until there is a problem. I just replaced my main card that I know was used at Heartland merchants in December.

Regarding the case study. I can post hard facts in a special section on my blog at 3dmerchant.com/blog as they become available. For now I’‘m just putting notes regular posts that include facts and comments, but I can sum up later with just the facts.

By  on  01/26  at  12:15 AM

According to Visa, Heartland is under review, not PCI compliant:
http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf

Note the "*" in the Heartland entry.

By Security Summary: 27-01-2009 | ContraRISK  on  01/26  at  01:11 PM

[...] 100 million transactions a month), and some are even suggesting that Heartland has tried to play down the breach, hoping that the presidential inauguration would keep it off the front pages. This could turn out [...]

By Rafal  on  01/27  at  03:55 AM

... but of course!  I can’‘t imagine VISA would allow the PCI image to be tarnished, especially in a massive case like this!  I wonder who’s telling the truth because according to an article I read earlier HPS claims it was PCI Compliant as of April 2008… someone’s lying here.

By » An Information Security Place Podcast - Ep  on  01/28  at  01:02 PM

[...] Largest CC breach Ever !! Yes, I am talking about Heartland.  100 million + credit cards and the accusation that they attempted to hide behind the inauguration [...]

By Annie-Nimous  on  01/28  at  06:01 PM

@ Rafal: You seem to be missing the fact that a compliant report is merely a snapshot in time ... meaning it’s only relevant to the compliance of an environment at any given time.

Unless the QSA is checking daily (hourly?) there are no guarantees of continued compliance once the QSA has written the report.

By Erik  on  01/28  at  08:29 PM

Need payroll service call me at 866-341-3506.

Thank you, Erik Tonge

By John  on  01/30  at  02:10 AM

Just a few days after the Heartland data breach was announced someone swiped a counterfeit credit card with my account info at a car dealership in Illinois (I was in Europe at the time). Better watch your accounts folks!

By merchantgrl  on  02/05  at  07:44 PM

I think you should have better information from within your company than to be asking outsiders on a blog what they think.

Until there is an announcement of someone getting busted and more details, who knows? I don’‘t expect them to say how someone did it (just opens the door for other attempts) but they should at some point be able to say " We know who did it, how they did it, and we have protected our system to prevent this and other future threats."

By wayno  on  02/28  at  01:15 AM

Does your card have to used for them to get any info from it!  or just to have an account! with any CC company???

Page 1 of 2 pages  1 2 >

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: