As promised in my last entry, it’s time for a recap of the Heartland Payment Systems data breach. I’m hoping this will be the last time I have to mention Heartland. It will be unless there is a major revelation to the whole story.
How it happened
According to all reports, including those from Heartland, the data breach happened at the one point in the on-line payment process where data is not encrypted – the passing of the data from the processor to the processing network. The weakest link was exploited. Heartland claims to have been PCI compliant at the time the breach was discovered and their were some reports that Visa had confirmed that claim. But Heartland also said that no records were being breached at the time of discovery. We’ll take a look at the PCI thing in a minute.
The number of records breached
We’ll never know the actual numbers of records affected by the breach. The whole Heartland mess is shrouded in corporate secrecy, but here’s what we do know. Bank Info Security is reporting that over 600 institutions had card accounts breached. It’s important to note that these are only reported and confirmed numbers. There could be hundreds, if not thousands, more. Remember that Heartland processes payments for 175,000 merchants at the rate of over 100 million transactions per month and this breach was on-going for 6 months.
Of the 600 reporting entities, only 180 reported the number of accounts that were affected for a total of 1,063,040 cards. We can only guess on the actual numbers but, in the end, the real numbers are probably staggering. Initial speculation that this was the largest data breach ever could certainly be accurate.
Heartland’s public reaction
Once Heartland had confirmed Visa’s suspicions of a data breach, they went on the defensive almost immediately. No surprise there. They created a website that was supposed to keep cardholders and merchants informed. What that website turned out to be was, in my opinion, nothing more than another sales site. I can’t fault a company for wanting to mitigate damages caused by an incident of this magnitude; any of us would. But the site hardly kept us informed of anything related to the breach. It was just an attempt to tell the public about all the good at Heartland. I wasn’t impressed.
The PCI implications
As I noted earlier, Heartland claimed to be in full compliance of the PCI DSS standards at the time the breach was discovered. It makes for a nice PR bit but I see it as irrelevant. PCI compliance is a snapshot in time. Since the breach was on-going from May through October, there was plenty of opportunity for them to be out of compliance. Apparently Visa thought so too. Heartland has been removed from the official list of compliant processors. Interestingly, they are still permitted to do business, and that raises some questions.
You’ll hear the CEO of a breached credit card processor plead “But we were PCI DSS compliant” and simultaneously you will hear the PCI council say that “No PCI compliant processor has ever been breached.” Both of these statements can’t be correct.
Were they out of compliance only during the actual times that the data was being siphoned? Were they, perhaps, complaint and Visa (and the others) discovered a flaw in the PCI standard that allowed the bad guys in anyhow? Were they blatantly out of compliance but Visa made an exception and allowed Heartland to continue because they couldn’t afford not to? We’ll never know, but don’t be surprised if you see some revisions to the PCI standard in the near future.
The fallout
Heartland will be paying for this breach for a long time, not only in dollars but in trust, image, and all the rest. There are already lawsuits by the dozens for both actual and punitive damages. Lawsuits, as we all know, can be filed by anyone for anything and winning them is the only real tale. They will go on for years and even in the unlikely event that Heartland prevails in every one of them, their legal and administrative costs are sure to be in the millions.
The Card Companies (The Associations) are now fining the acquirers as a result of the losses. That may sound a bit strange but the reasoning is simple. The Associations don’t have a contractual relationship with Heartland; they have one with the acquirers who, in turn, have a contractual agreement with Heartland and will pass the fines on to them. The path of least resistance from Visa to Heartland is through the acquirer.
There you have the bottom line. Millions of cards, millions of dollars, and a lot of secrecy. Nothing changes
Similar Posts:
- Heartland Data Breach rears its ugly head again
- Card Breach Victim Gets Twenty Years ‘Probation’
- Genesco suffers breach – Not PCI compliant?
- A bit of good news for PCI compliance – but only in Washington
- Fraud Spree points to merchant security
Kelvin wrote:
There are so many opinionated misstatements in this article I don't even know where to begin.
Opinionated - of course. Most blogs are and I make no claims that mine is not.
First, the lack of information on the breach is not from a mysterious "shroud" of "corporate secrecy" but due to the lack of hard evidence on how much data was stolen. Data doesn't sit on the shelf like a physical object. The malware hackers are using is sophisticated enough to hide itself and prevent data forensics experts from knowing what actually happened. Putting the pieces together to determine how much data was stolen is not as simple as you think.
This was likely the case with another major data breach that occurred in 2008 in which the processor involved has not even announced the breach.
I don't think for a minute that it's easy and I'm also well aware that the hackers are more sophisticated than most of the people trying to catch them. Please don't tell me that there isn't a "shroud of corporate security" (your words, not mine) and in the next paragraph tell me that there was another major breach in 2008 that has yet to be disclosed. I think I see a bit of secrecy there. And then there's Heartland's very obvious attempt to withhold information with statements like the breach went on for "more than weeks" and their total silence on the number of accounts potentially exposed even as the affected issuers are, to some extent, coming clean.
Related to the undisclosed breach, If you read my March 3rd entry (http://www.merchant911.org/blog/index.php/2009/03/...)
you'll see that I'm aware of a lot of speculation on that incident. Visa did a (opinionated) very poor job of (/opinionated) denying that there was one. If I assume that you are someone in the industry rather than another blogger with "opinionated misinformation," then I can consider your comment as a verification of that breach - and a confirmation of my opinion that Visa is lying about it. A legitimate question for you, if you will, why hasn't that processor disclosed?
Then, you talk about the card "companies", in which you mean the CARD ASSOCIATIONS, Visa, Mastercard, Discover, etc. and their relationship with acquirers such as Heartland and issuing banks.
You are quite correct but, for the record, I'm quite aware of it. I couldn't help but absorb that distinction in the 8 1/2 years I've been working with e-commerce merchants. I used those words with the idea that some of my readers might not know what I meant when I referred to the Association. A matter of semantics in this case. If you look at most of the pres releases out there, you will see that the Associations are usually referred to as 'credit card companies.' I'm certainly not alone on that one.
This is all wrong.
Card associations do not fine issuing banks for fraudulent activity or data compromises. Fines for data compromises affect the acquirer and the acquirer may pass these fines on to the merchant when the merchant is responsible. In this instance, no merchant was responsible for the data breach so the fines (when they are announced) will be absorbed by Heartland. The issuing banks deal with fraudulent activity as a result of any data compromise between the card holder and the merchant. Chargebacks may affect some merchants, but most likely, the distribution of these card numbers around the world will make the impact on US businesses almost non-existent. The effects have been felt mainly by card holders.
Everything you said in that paragraph is wrong. You might consider deleting this entire post or checking ALL of your facts first.
I do stand corrected on the "issuing bank" statement and will shortly edit the paragraph accordingly. What I should have said is that fines are being issued to Heartland's sponsoring banks.
You are also correct that effects have been felt by cardholders but I refuse to consider them as victims in all this. Just last week I received a new debit card telling me that my old one may have been breached in the Heartland incident (yes, my bank named names.) That hardly makes me a victim. Even if my card had been used fraudulently I wouldn't consider myself a victim of anything but the inconvenience of calling my bank to report the fraud.
Bu then again, I didn't make any statement about who's a victim of what, only that the mess wil be very expensive.
There's enough blogging and news media on this topic already. Do some research and get your facts straight.
I do a lot of research but the sources that I have are a bit limited. They are, after all, pretty much limited to blogs and the press. We certainly are not getting a hell of a lot from the industry.
- spam
- offensive
- disagree
- off topic
Like