Heartland data breach sparks security concerns in payment industry

Lack of details, company's size spur questions about how system intrusion happened

The lack of details surrounding the potentially massive data breach that Heartland Payment Systems Inc. disclosed this week is fueling questions and concerns within the payment processing industry about the exact nature of the security compromise.

The concerns also are being driven by the fact that Princeton, N.J.-based Heartland is one of the largest processors of credit and debit card transactions in the U.S. It handles more than 100 million card transactions per month for 250,000 clients; that a company so large could have its systems compromised by intruders for what appears to have been an extended period of time is prompting more than the usual curiosity about how the breach took place.

In addition, Heartland, as a large processor of card transactions, has been required to comply with the Payment Card Industry Data Security Standard — a set of security controls mandated by the major credit card companies — for a considerably longer time than retailers have been. As a result, Heartland was generally expected to have stronger controls in place for preventing, detecting and responding to system intrusions than many other entities covered by the PCI rules do.

"We're dying for information on this one," said Henry Helgeson, president and co-CEO of Merchant Warehouse Inc., a Boston-based provider of payment card processing services and software. "Everybody who processes card information is dying to know how exactly this happened."

For the time being, Helgeson added, he and other Merchant Warehouse officials are "scratching [our] heads" about the breach at Heartland. "One of our frustrations right now is, if this is a new attack, we need to know about it," he said. "We need to know if what happened to Heartland can happen to [other payment processors]."

Heartland disclosed the breach on Tuesday, saying that unknown intruders had broken into its networks sometime last year and stolen payment card transaction data. Although Heartland didn't disclose the number of card accounts that might have been compromised, some outside estimates from analysts and people within payment industry have pegged the number at more than 100 million, which would make it by far the biggest payment card breach to date — surpassing the 45.6 million card numbers that The TJX Companies Inc. said were stolen in a breach that the retailer disclosed in January 2007.

Based on the small amount of information that Heartland has released so far, the hackers appear to have planted some sort of malware capable of sniffing out payment card data as it moved across the company's network, and then to have spirited it out of Heartland's systems in encrypted data streams.

The fact that Heartland didn't detect the malicious activity until being alerted to it by Visa Inc. and MasterCard International Inc. suggests that the company hadn't implemented, or wasn't using, all of the security controls called for by the PCI standard, analysts said.

For instance, Heartland's ignorance of the malware on its network indicates that it wasn't doing file integrity monitoring on a routine basis, Gartner Inc. analyst Avivah Litan said. That is a PCI requirement designed to enable companies to detect unauthorized content in files and directories on servers, as well as changes in or additions to permissions privileges.

Similarly, Heartland appears not to have been monitoring or filtering the traffic heading out of its network, said Mike Rothman, vice president of strategy at eIQnetworks Inc., a vendor of security risk management tools in Acton, Mass. It also doesn't appear to have been analyzing log data collected from firewalls, intrusion prevention systems and other security devices, Rothman said.

"If you do some kind of data leak prevention type of analysis, you would be able to say, 'Why is a server on my internal payment network sending data outside the network?' " Rothman said. "Even if the data is encrypted, you should see the traffic flows."

A spokesman for Heartland said today that company is aware of the numbers being bandied about but still has no idea itself about the scope of the breach. The intruders stole the so-called Track 1 and Track 2 data stored on the magnetic stripes on the back of cards, the spokesman said. But, he added, data such as unencrypted PINs, card verification numbers and the Social Security numbers, addresses and ZIP codes of cardholders wasn't compromised.

According to the spokesman, Heartland was alerted late last year by Visa and MasterCard about suspicious activity involving transactions it had processed. But it didn't uncover the system intrusion until last week, despite having hired two forensics companies to investigate the situation. He described the malware planted by the hackers as "extremely sophisticated code" that eluded the forensics analysts for months.

Heartland still has no idea how long the code had been on its network, the spokesman noted. "All we know is that it was there for a period of time in the second half of 2008," he said.

The spokesman also said that Heartland had been certified as being PCI-compliant last April. However, in an FAQ document posted on the company's breach information Web site, Heartland said without elaborating that after discovering the malware, it "immediately took a number of steps to further secure its systems." The company added that it plans to "implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cybercriminals."

Visa and MasterCard also have yet to divulge any specific information about the scope or nature of the breach. For instance, MasterCard said in a statement that it would be "premature for us to speak to any numbers or metrics" at this point because an investigation into the breach is still ongoing.

If the compromise was as big as is being suggested, the sheer number of compromised cards would make it highly unlikely that banks would cancel and reissue all of them, Helgeson said. The overall cost of doing that likely would be in the range of $600 million to $1 billion, he estimated. Such an amount, he added, would be far more than any credit card fraud that is likely to result from the compromise.

A breach on the scale of the outside estimates also would likely draw attention from lawmakers, regulators and the legal community, analysts predicted.

Already, one law firm, Chimicles & Tikellis LLP in Haverford, Pa., has said that it is exploring the possibility of a class-action lawsuit against Heartland. The firm, which has an ongoing lawsuit against Bank of New York Mellon Corp. in connection with a breach disclosed last May, is looking at whether Heartland was negligent in its duty to protect data and whether there might have been a breach of implied contract as a result, said Joseph Sauder, an attorney at Chimicles & Tikellis.

In addition, if it is found that Heartland wasn't compliant with the PCI requirements, the company could face potentially steep fines from the credit card companies, said Scott Vernick, a partner at Philadelphia-based law firm Fox Rothschild LLP. Banks that are forced to reissue cards because of the breach will look to Heartland for reimbursements, Vernick added. And regulators likely are going to want to know if the company was following industry best practices for IT security when it was breached, he said.

The issue of when Heartland first learned of the breach, and when the company publicly disclosed the system intrusion, will also assume significance down the road, Vernick said.

The breach is also sure to add to the growing chorus of doubt about the efficacy of the PCI rules. At a minimum, what happened at Heartland will put pressure on the card companies to enforce the requirements more stringently — and more visibly — than they have thus far.

There is precedent for harsh action to be taken, though. When CardSystems Solutions Inc., then a major payment processor, was hit by a data breach that compromised about 40 million payment cards in 2005 — just months after the first version of the PCI standard was announced — Visa and American Express Co. eventually stopped doing business with the company.

"It will be interesting to see what the card companies do" in the case of Heartland, Helgeson said.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon