RSSHeartland breaks the nine-figure data-breach barrier
By Angela Gunn | Published January 21, 2009, 10:46 AM
The 2006 Veteran's Administration breach will always hold a special place in our hearts for targeting a population who deserved much better protection, and the TJX breach of 2007 will live forever in the legends of security professionals who can't fathom how the security-light retailer managed to stay in business after such a heaping helping of incompetence, but the newly revealed hole at Heartland Payment Systems gets some special price for sheer scope of theft. Even the head of the company isn't sure, but the company handles over 100 million transactions every month.
The company does know what was not compromised, according to a release this morning: merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), consumer addresses or telephone numbers; Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms. And they really knew how to kick off the damage-control effort: Announce when all eyes are on the inauguration, and pick up a URL for their breach-info site that emphasizes the year the breach apparently occurred (2008) rather than the year it was revealed (2009).
But what we don't know is apt to keep forensic folk (and maybe lawyers) digging for weeks. For instance, how long was the data-stealing malware resident on Heartland systems? The company has been working with the Secret Service and the Department of Justice to figure out what's happened, and suggests that a global criminal ring may be implicated; anyone we've heard of? And -- the $64 question, and probably worth much more depending on the answer -- is this just some VA-style mess where the breach actually resulted in no identity-theft or fraud issues for individuals, or more like TJX, where sleazy people did sleazy things with the stolen data?
Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. For example: Microsoft patched for this virus 4 months ago. I like to pass along things that work, in hopes that good ideas make their way back to me, and as CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome – or propagate one.
Score: 0
|removed
Score: 0
|"merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), consumer addresses or telephone numbers"
What about the CSC (or CVV or CV2 depending on what you want to call it)?
To make a purchase online you need: card number, name on card, CSC, and end date of the card.
Which bits of this data was leaked, and which wasn't?
Score: 0
|Everyone's dying to know about the CVVs, Paul -- especially since the company, if it was flying right with PCI-DSS, would not have been retaining that piece of data. As to the rest, names and card numbers definitely appear to have been in the breached datamass. Haven't heard a peep re expiration dates.
Score: 0
|Ah yes, the old "shoulda" argument.
Thinking about it though (never thought about this before), shouldn't you have to enter your CVV number every time you purchase something. Isn't it the law that they're not allowed to store that data? If so, why can I buy from, say, Amazon without having to enter it once I've logged in?
Score: 0
|"anyone we're heard of?"
I don't think that's the word you wanted. :p
Mod this post to oblivion, folks. You know you want to. :)
(how low does it go??)
Score: -2
|You missed:
"But what we doesn't know is..."
Score: 0
|Ah, lovely. (Isn't it nice to see that some sentences actually do get rewritten from draft, however incompletely?) Both are corrected with thanks; whatever y'all think of the changes to the look of the site, I must say that it seems to be far simpler to get little typo correx through the publishing system these days...
Score: 0
|