I see Krebs (via Mogull) has posted about an astoundingly large payment processor data breach at Heartland Payment Systems and may affect 100 million credit and debit card accounts. By the way, do as I do: use your credit cards only when you need to! I don’t even use a debit card.
Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.
Baldwin said Heartland does not know how long the malicious software was in place, how it got there or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.
Some questions I have:
So, how did malicious code get installed and run unfettered for as long as it did?
What led to the suspicions that a breach had occured? It sounds like the malicious code was found only *after* experts were called in. Why were they called in?
What breakdown led to all of this? I hate asking this question, since too often we get zero details on how these things truly happen, as companies, people, and legalese cover it all up leaving the rest of us unable to truly learn from their mistakes.
Was the firm PCI compliant? This is mostly a trivia question, but it will get asked so I might as well join in. PCI compliant or not, there *will* be incidents, even large ones. But it is useful to see if PCI or compliance in general is just not working as the means and end. PCI and any compliance should be an “oh yeah, we got this on the road towards being more secure,” as opposed to being the driver or the goal.
What could have prevented or, better yet, detected this issue? This is part of the “let’s learn from their mistake” that never gets truly answered. I imagine some egress monitoring should have helped…100 million transactions a month all going back out to one or a couple locations should have been spotted, right? And if you do *that* much business, you should have damned good monitoring on systems for processes and digital integrity, right?
“This is mostly a trivia question, but it will get asked so I might as well join in.”
Oh, I don’t think this is just a “trivia question”. This breach will have precedent setting impact that CSO’s and CIO’s won’t be able to ignore.
RE: Heartland Payment Systems: You’re right, of course, the question about their PCI compliance isn’t trivia or trivial. I think that was my idealistic side coming out hoping the PCI gets perceived back where it should be: as raising the bottomline, rather than the insinuation the media (and some business mgmt) makes that PCI compliant == secure. I doubt that; more likely PCI will be crucified publicly.
Sadly*, the people who pay will be the CSO/CISO when they get shown the door because they relied on PCI.
* Or maybe not so sadly if we want to apply survival of the fittest…