Article

Move over TJX: Heartland data, card breach may be biggest yet

With literally tens of millions of card transactions at risk, malware found on the server of Heartland Payment Systems may make history.

January 26, 2009

The complaints started in the fall 2008.

In late October, Heartland Payment Systems, a Princeton, N.J.-based company that provides payment processing for roughly 200,000 U.S. businesses, was contacted by Visa and MasterCard about reports of fraudulent activity taking place on cards it had processed.

"Everybody was trying to put the puzzle pieces together," said Jason Maloni, spokesman for Heartland. "We immediately engaged a forensic investigation firm that set about looking at our system from top to bottom."

Maloni claims it wasn't until the week of Jan. 12 that officials at Heartland realized security problems existed. That's when forensic investigators uncovered carefully hidden malware on Heartland's servers. The malware's purpose was to identify private cardholder data, record it – and presumably — transmit it to an unknown third party for criminal use.

"The good news is that the software has been removed," Maloni said. "Unfortunately, the bad news is that key data was compromised during a period in the latter part of 2008."

Too many 'debit' and 'credit' unknowns

At this point, it's difficult to judge just how bad that bad news is. Maloni says his company processes roughly 100 million transactions per month, 40 percent of which are for small-to-medium-sized restaurants. It's not known how long the malware was on the server, nor whether it was able to transmit data to its intended third party — although Maloni admits the complaints of fraudulent card activity received by Visa and MasterCard would seem to indicate that the data was successfully transmitted to the third party.

Reports vary on exactly how many transactions may have been compromised. A Jan. 20 article in The Washington Post estimates the amount to be in the "tens of millions."

For perspective, the infamous TJX breach — until now thought to be the largest case of card-data theft in history — affected 45 million cardholders, though it's not known how many individual transactions were compromised. The Washington Post article says the Heartland branch may exceed that.

But Maloni says it's far too early to be making comparisons.

"Frankly that is speculation at this point, since we don't have a firm idea of what numbers are out there," he said.

David Shackleford, the chief security officer at Configuresoft Inc., says the abundance of unknowns is the most troubling aspect of the breach.

"These guys had malicious software installed in their environment that monitored transactions going pretty much across the board, and the big thing about this is they didn't know when it was installed, how it was installed, or how long it was there," said Shackelford, whose company provides IT solutions for businesses. "All the other factors are almost moot in comparison right there."

Maloni did say, however, that the investigation so far has confirmed that personal identification data, such as Social Security numbers, addresses, zip codes, PINs and CVV2 numbers (the three digits on the backs of credit/debit cards often used in Internet transactions), were not compromised.

What may have been compromised, he says, were card names, card numbers and expiration dates.

Another thing Maloni says he can confirm is that it wasn't an inside job. He says the U.S. Secret Service, which is investigating the breach along with the U.S. Department of Justice, has uncovered information that suggests the breach may involve individuals from outside the U.S.

"It appears to be an international cyber crime organization — a global cyber crime organization," he said, though he wouldn't provide any details about the countries allegedly involved.

Representatives from the U.S. Department of Justice and the U.S. Secret Service refused to comment.

Also of interest to investigators is the entry point the criminals used to install the software on the server. Neither U.S. authorities nor Heartland has released information about that issue.

Though Shackelford admits it's speculation, he says hackers often use badly coded Web sites as backdoors to company servers. Using such a site would enable the hackers to plant the software from an off-site location.

"That's the No. 1 thing that most people are starting to have trouble with," he said. "Everybody rushed to put Web applications out there and they're coded horribly."

Who's to blame?

When it comes to prosecuting data breaches like this one, Shackleford says the international aspect can be a significant obstacle, given that some countries have no extradition laws for computer crime. In fact, Shackelford says U.S.-based criminals will often send the data from server to server, crossing through another country so authorities can't easily follow the trail.

"The minute it crosses the border into Yugoslavia, the case is almost dead," he said. "It's crazy, right? Most people don't realize that the No. 1 location in the world for online auction fraud is Romania. Romania is one of those countries, so it's very, very difficult to prosecute things there."

Even cases in the U.S. can be difficult to prosecute, Shackleford says, adding that the data trail often leads to a computer lab at a university or public library, where it's next-to-impossible to link the evidence to an individual user.

Penalties

Obviously criminals can be prosecuted, but the breach does raise questions about liability.

Shackleford says the onus is on card associations like Visa and MasterCard to put the pressure on processors and merchants that get compromised. He says that pressure could come in the form of dramatically increased fees for any Visa or MasterCard transactions, or through card issuers disallowing the transaction altogether – something that did not happen after the TJX case.

"Have they (TJX) really suffered at all?" Shackleford asked. "That's the question. No: They got a slap on the wrist. They had some fines levied against them that were paltry."

At the same time, he says consumers remain indifferent to news of the breaches.

"If you as a consumer still go shop at Marshalls and pay with a credit card, even after what happened happened, then TJX pretty much gets away scott free," he said. "Consumer apathy is one major problem."

That said, it's still unclear what actions Heartland could have taken to avoid the alleged breach. Maloni says the company has been PCI compliant since April 2008. And he dismissed the suggestion that Visa and MasterCard should raise Heartland's transaction fees.

"It serves no one to talk about stringent penalties unless we're also going to talk about what we need to do to make sure we have stringent security," he said, adding that Heartland has created a site,www.2008breach.com, where consumers and merchants can learn more about the data compromise.

The liability factor

The real question that might worry merchants, restaurants and self-service deployers that are customers of Heartland is the issue of liability. Could they be held civilly liable for choosing a payments processor that may not have had all the necessary security measures in place?

Larry Washor, an attorney for Los Angeles-based Washor & Associates who specializes in business and technology law, says he doesn't think so, since there is virtually no way a merchant can investigate a processor's security measures, beyond confirming that those measures are PCI compliant.

But there are some basic steps a merchant can take.

"Check with the Better Business Bureaus as to the reputation of the processor," he said. "Some have very, very bad reputations. I could name several that I would recommend people not use, although I wouldn't want to do it in print."