For the second time in a month, a payment processor has reported being hit by data thieves.
This time, the victim is Heartland Payment Systems, one of the five largest payment processors in the United States. Heartland (NYSE: HYP) has not disclosed how many people were affected by the security breach, which it said may have begun in 2008 and was only uncovered last week.
According to Heartland, the scope of the data loss is still being assessed. Credit card account numbers, expiration dates and, in some cases, cardholders’ names, were stolen in the attack, Nancy Gross, a Heartland spokesperson, told InternetNews.com. However, the company does not yet know how many cardholders or businesses were impacted. The 12 -year-old payment processor serves 250,000 business locations and more than four billion transactions every year, according to its Web site.
“The investigation is still ongoing and we have very far from complete information,” Gross said.
Revelations about a similar data theft at another firm surfaced last month, when RBS WorldPay disclosed that it had suffered a data breach in November that compromised more than a million customers’ records.
In the newest data breach, Heartland’s Gross said that a keystroke logger had been found in the company’s card processing system. But according to a Web site that Heartland set up to handle matters relating to the breach, none of its check management or other systems had been affected, so the attackers did not gain access to merchant data or cardholders’ Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers.
Still, some observers are worried.
“What’s interesting is what’s missing” from Heartland’s disclosure, Mark Bower, director of information protection solutions at e-mail and database encryption software vendor Voltage Security, told InternetNews.com. “It doesn’t say that cardholders’ credit card numbers or credit information was actually not breached.”
Robert Baldwin, the company’s president and chief financial officer, said in a statement on its Web site that Heartland notified federal law enforcement about the breach, and that it also has alerted the issuers of the various cards it processes.
He also said that this incident may be the result of a widespread global cyber fraud operation and that Heartland is cooperating with the United States Secret Service and the Department of Justice (DoJ).
The company said on its breach-related Web site that it discovered the breach after auditing its systems last week, following alerts from MasterCard and Visa about suspicious card transactions in autumn.
However, Gross said that Heartland does not know precisely when the breach actually began.
“We were alerted by Visa and MasterCard late in the fall and we then enlisted the help of several forensic auditors who were charged to conduct a thorough investigation,” she said. “But nothing came up until last week.”
Page 2: Next steps for Heartland — and the industry
Page 2 of 2
Michael Argast, a security analyst with security consultants Sophos, told InternetNews.com that companies like Heartland need to adopt extremely high security measures. Heartland has said on its site that it has taken steps to further secure its systems, and that it plans to implement a new technology that would flag network anomalies on its systems in real time.
That may be only the start of what it needs to do, Argast said.
“For organizations that monitor transactions, you need to have much higher levels of security,” he said. “These guys are the crown jewels of theft for
attackers.”
Argast added that he thought that if Heartland had good auditing systems in place, it should have been able to find out how many cardholders have been affected by now. “This type of organization needs to be able to do this with in-house security analysts, and should not have to call in third-party auditors,” he said.
He also said that that the keystroke logger probably represented the first part of a two-phase attack.
“They got that malware into the organization through social engineering, then pulled down the sniffer into the network,” he said.
Matters of disclosure
Observers also say the Heartland breach highlights the current state of legislation regarding disclosure when data loss hits corporations.
There is no federal law requiring companies suffering a data breach to
notify affected users, customers or employees, but several state laws in various states do require this, Scott Christie, a partner in law firm McCarter & English, told InternetNews.com.
“As a general proposition, those laws require victims to be notified once it is clear that residents of those states have had their information compromised,” he said. But if the data is encrypted, most states relieve the company of the burden to notify, he added.
Gross said Heartland had been certified as compliant with Payment Card Industry specifications in April and that its systems are secure, but said she could not be more specific.
Public disclosure may also be delayed because some state laws require a breached company to report the attack first to law enforcement. The law enforcement agencies may then require companies to hold off on notifying customers of a breach to avoid hurting their investigation,
Christie said.
More attacks to come?
Yet even as Heartland is coping with the aftermath of its data breach, other payment industry companies may also be at risk. Gretchen Hellman, vice president of security solutions at database security and encryption solutions vendor Vormetric told InternetNews.com that more such attacks targeting payment processors may be on the way.
“Once the cybercriminals have a model that works, there’s no reason to not repeat that,” she said.
Experts have already warned that cybercriminals will step up their efforts this year.
The government does show some signs of taking steps to thwart such an increase. Earlier this month, California Senator Dianne Feinstein (D-Calif.) introduced two bills on data breaches and protection of individual privacy.
Still, more needs to be done to fight back, experts said. Enterprises and governments need to review their security approaches, identify key gaps within their infrastructures and deal with them quickly, Bill Conner, president and CEO at security vendor Entrust, told InternetNews.com in an e-mail.
He also called for more government action to deal with the problem. “The government needs to standardize data breach notification laws and call for technology like encryption and stronger authentication that truly protects consumer information,” Conner said.
Conner’s calls echo those made last month by a bipartisan nonprofit think tank, the Center for Strategic and International Studies (CSIS). The Center called on the Obama administration to strengthen cybersecurity in both the private and public sectors.
Update adds additional details of the breach from Heartland and comments from Gross, Christie and Argast.