Largest Data Breach So Far? Heartland Payment Systems

Posted by Gunter Ollmann on January 20, 2009 at 3:13 PM EST.

The media has been full of analysis concerning data breaches over the last couple of weeks, mostly related to the uptick in 2008 reports. While much of this increase can be accounted for by the wider adoption of state legislation that mandates companies to publicly disclose their data breaches, I think it is worth pointing out today’s latest disclosure – which is quite probably the largest breach ever.

Conveniently scheduled for release today and hidden amongst even more momentous media coverage, Heartland Payment Systems disclosed the discovery of malicious software within its processing system. Heartland delivers credit/debit/prepaid card processing, payroll, check management and payments solutions to more than 250,000 business locations nationwide.

Heartland have created a dedicated Web site for information about the data breach – 2008breach.com – and I would recommend readers to visit the site for more details.

By way of summary, here are some of the more important aspects as I see it:

1. "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice." - Robert H.B. Baldwin, Jr., Heartland's president and chief financial officer.
2. After being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions… no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach.
3. Using data from the forensic investigation, Heartland uncovered malicious software that compromised data, which crossed the company's network in 2008.
4. Heartland advises cardholders to examine their monthly statements closely and report any suspicious activity to their card issuers. Cardholders are not responsible for unauthorized fraudulent charges made by third parties.

No details have yet been released concerning the nature of the malware nor about the volume of card details potentially (or actually) intercepted. I’ll be interested in learning more about the particular malware, but I suspect (from a probability calculation perspective) that it’ll be fairly “standard” stuff. For a couple of hundred dollars anyone can arm themselves with a custom-created piece of malware capable of performing all the necessary interception and stealthy extrication of data – complete with 24x7 support and replacement warrantee.

Apparently Heartland is planning to “…implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.” There are several things they can do in this realm and I’m a little surprised that they hadn’t initially detected the 2008 breach. Hindsight is a wonderful thing. At least Visa and Mastercard were able to spot the suspicious transactions and trace it back to Heartland.

On that note though – for Visa and Mastercard to have spotted suspicious activities associated with the processed card transactions, I suspect that the cyber criminals had access to more than just the card numbers and unencrypted PIN’s. By only listing what data could not have been intercepted, my mind is already racing to conclusions about the types of data the cyber criminals could have intercepted.

I recommend that readers keep a close eye on their credit card statements - and maybe even go through last years statements to make sure some fraudulent transaction didn't already pass through and escape your notice.