U.S. Fingers TJX Hacker in Heartland Breach - Page 2

Page 2 of 2

Others agreed that the lessons could highlight the fact that just because a payment processor or other company is compliant with Payment Card Industry (PCI) specifications, it's not completely secure.

"In a strange way, these three hackers may have done a service to consumers and the business community at large by making it abundantly clear that PCI and other compliance requirements are not enough to fully protect customer data," Ken Pappas, security strategist at Top Layer, said in an e-mail to InternetNews.com.

"Organizations need to realize that they must go beyond the check-box requirements of compliance regulations and implement a pervasive security strategy that uses advanced technology beyond simple firewalls to address their organization's unique vulnerabilities and to proactively face evolving threats," he said.

Simple fixes to a complex problem

There are a few things that any company can do to protect themselves against attacks. For starters: Encrypting data while in transit.

"That's like having a safe at home for your data ... but sending it through the mail on a postcard," Sophos' Wang said. "Anyone can read it."

To prevent the initial intrusion, Web applications should be written to examine all queries. "Some very simple changes can be made (if you have access to the code) to make sure that all input is secure," Wang said. "Most of the scripting and programming languages have functions that let you 'sanitize' the data so that it does not pose a threat on the back end."

Wang added that companies should also look for attackers on the network.

"You can run software to examine network traffic to see if someone is probing the Web site, but the more important message is to secure the Web site so that even if they're trying to break in, they cannot," he said. "Businesses should secure the application code, and make sure that the underlying server and operating system are up to date with the latest patches."

Companies that have the resources to do so can also do more.

"Within the business environment, you could segregate certain types of data," Wang said. "Things like customer information and payment information can be held in a separate database with separate access restrictions. Then, even if they get to the site's database, they cannot easily get from there to other databases."

Meanwhile, applications may not need a full set of data, which could limit the amount of data a company has to store. "For example, if an application for an online store has to display the last four numbers of a credit card, maybe its backend database only needs those four numbers of the credit card," Wang said.

Pleased at the outcome

For the many individual victims of the attack, the charges could mean some consolation.

The companies that were attacked also appear to be pleased with the news.

[cob:Special_Report]"Heartland Payment Systems would like to congratulate Department of Justice and Treasury officials on their effort to bring to justice some of the individuals behind numerous data breaches in recent years," Heartland Chairman and CEO Robert Carr said in a statement.

"The commitment and persistence shown by law enforcement and other stakeholders in this matter has been exemplary. Heartland looks forward to lending whatever support we can to this investigation as well as the broader fight against global cyber criminals," he said.

A Hannaford spokesperson said in an e-mail to InternetNews.com that the company is "pleased that the authorities have aggressively pursued this case to be in a position to bring an indictment against the alleged perpetrators of the crime."

"7-Eleven would like to thank the federal authorities for their diligence in pursuing the perpetrators of this crime. Because this matter is pending, we are not providing further details," 7-Eleven said in a statement.

Update adds additional information from 7-Eleven spokespeople.