Heartland Breach Hit At Its Unencrypted Point
Written by Evan SchumanJanuary 21st, 2009
Are data thieves now bypassing retailers and hitting payment processors directly? That may be the case if the initial details about the new Heartland Payment Systems breach—where the data from some 100 million cardholders is handled—hold true. (That said, has anyone ever seen the initial information about a major data breach hold true for more than a week?)
Early on Tuesday (Jan. 20), Heartland issued a statement saying that it had been "the victim of a security breach within its processing system in 2008." But it didn't take long for some of those initial details to fall apart.
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
3 Comments | Read Heartland Breach Hit At Its Unencrypted Point
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Ed
January 22nd, 2009 at 11:48 am
David – Is there any info on the customers of Heartland? It would be interesting to hear from the retailers and restaurants that use Heartland for processing.
January 22nd, 2009 at 2:35 pm
You wrote: The most interesting part of his comments about the point of weakness in Heartland’s system, comments that should sound very familiar to most retail security folk: “We have industry-leading encryption, but the data has to be unencrypted to request the information†from the card brands, Baldwin was quoted as saying. “The sniffer was able to grab that authorization data at that point.â€
This statement, coupled with the almost countless retailer breaches, demonstrates the need for an industrywide rearchitecture of the fundamentals of credit/debit authorization. Just as retailers are trying different schemes to avoid having unencrypted data, the fact that it still has to be cleartext to cross the interfaces between retailer and processor, and processor and bank, demonstrates the flaws in the system.
Data should be protected in the cardholder’s hands and in the issuing bank’s systems. Nobody in between should ever be trusted with anything other than presenting or carrying encrypted data.
This technology has existed for over a decade now. The days of routing paper charge slips are over. We don’t need the credit industry continuing to expose the rest of us to horrendous risks because they can’t modernize beyond carbonless paper.
January 27th, 2009 at 9:28 pm
Looking at this from a network security standpoint, I can’t see how there wasn’t someone on the inside helping. Heartland is a large company, with extremely well protected and complex networks. The precision required to find the only spot on the network where this data is not encrypted and put a piece of software that can extract it without tripping any sort of intrusion detection or other alarm is just too unrealistic for me to buy into. Unless their security was grossly less than what should be required, putting any encryption aside, it’s just not very likely that someone who hacked a random computer on the inside could access this point in one of their networks.
This really leads me to two possible conclusions. First, someone on the inside, most likely in IT or someone with a high level of network access, and a very high knowledge of exactly how their system works, helped plant the software so it couldn’t be found either inherently or by the massive amount of data being extracted. Or second, Heartland had extremely weak security, unacceptably weak, and someone was actually allowed enough time to hack across multiple systems, and had enough time to find a very unique pathway of data, and had enough time to plant some software that was undetected, and extract this huge amount of data without ever being noticed for months.