Data Breach at Heartland

By sunetrad at 1:14 pm on January 26, 2009 | 4 Comments

A New Jersey based payment card processing company- Heartland Payment System Inc. admitted last week to a data breach into their system. In what may result as one of the largest compromises in payment card information, Heartland disclosed that intruders had hacked into their systems and planted malware that they had then used to steal debit and credit card data.
What the folks over at Heartland remain unaware of is how the attackers launched the attack or how long the malware has been in their systems.

This is a grave matter for this company and its 250000 business customers for which it processes around a 100 million transactions every month. This is being compared to the attack on TJX in 2007 when around forty five million cards were compromised. So how successful were the attackers in getting the data they wanted in this case? According to reports from Heartland, the intruders were able to capture card account numbers, expiration dates and in some cases, the customers’ names as well. The malware installed on the system allowed them to sniff on unencrypted data as the transactions were being processed in Heartland’s system.

What the thieves were not able to get their hands on were the Personal Identification numbers (PINs) and the addresses of the card holders. This is generally the information that they need to withdraw funds from the victims’ accounts online or on the phone. Heartland also stated that although this information was not compromised, the attacker could duplicate the data stolen and clone the debit or credit card and then swipe it at any location to extract funds.

Reading about this incident, made me think of all the times I went to Starbucks and used my debit card. I didn’t have to enter my PIN, and the cashier never asked me for my ID or took my signature. All he/she did was swipe my card. Many people do not track their transactions daily and hence a thief could easily get away with small withdrawals like this for a period of time if he was successfully able to clone the card with the stolen data. There is risk involved in this approach like being caught under surveillance but many businesses that do not enforce security measures as mentioned above just steer clear the way for attackers. The “Two factor authentication” technique would definitely be more effective in this case.

What I also found interesting in this article was that Heartland was not able to detect this attack for a long time until it was brought to their notice by Visa and MasterCard who discovered the suspicious activity. This caused the malware to run for a longer time and hence compromise more data. Also, the attackers chose a card processing company instead of a retailer, and this shows that they wanted their attack to be more effective as more transactions would be going through the card processor than its customer.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=spam,_malware_and_vulnerabilities&articleId=332977&taxonomyId=85&intsrc=kc_top

Filed under: Miscellaneous4 Comments »