Ta-da, we've got a new record!
Yesterday, credit and debit card transaction processing and payroll giant Heartland Payment Systems announced that it had experienced the largest loss of sensitive customer records yet reported publicly, though people have only been keeping records, or reporting breaches, for a few years now.
Heartland on Jan. 20 essentially admitted that hackers gained access to its database, which handles over 100 million card transactions per month, for a good few weeks in the fourth quarter of 2008. If you do the math in your head, this means that the Heartland Hackers (doesn't that sound like some sort of online militia group? Eat your heart out, CNN) likely got their hands on far more than the 94 million customer records thieved in similar fashion out of retailer TJX Companies several years ago. (Am I the only one who can still hear the party raging in Framingham now that the crown has been passed on? But don't worry, TJX, we'll never forget you!)
All things considered, there are some interesting points to review in light of the incident. First off, promises to do better in protecting customer information don't necessarily equate to success. Right underneath Heartland's name on its Web site it says "the highest standards" and "the most trusted transactions." Yet here we are. And honestly, if Heartland's execs went so far as to put it there, I'm pretty willing to believe that they took the whole issue pretty seriously. Would a PR expert say they were foolish to make such high-profile promises? Perhaps, but I don't think they were if they were indeed taking all the steps they could to protect their assets. The hackers are good, period.
Second, Heartland is surely PCI-compliant, based on its size and business model. This speaks to the fact that being PCI-compliant doesn't prevent you from getting hacked, even if you can maintain the controls. PCI has gone a long way toward forcing companies like this to improving their defenses, but there's still a long way to go. Bob Russo, general manager of the PCI Security Standards Council, will sit there and happily tell you that your compliance certificate isn't so meaningful once it goes in your drawer and starts collecting dust. PCI is a road map, but markedly improving electronic data security will be a long journey.
Also, the size of the breach also underscores the fact that -- while the approach is increasingly commoditized by the sheer volume of stolen data already in motion out there -- cyber-criminals still see a big business in stealing personal records that they can turn around and try to sell to others. According to a story filed by USA Today's Byron Acohido, some experts who track sales of such stolen data, such as CardCops, have seen recent surges in records hitting the underground market, potentially driven by incidents at massive processors like Heartland. Clearly, the thieves follow the money, and the stolen data is still making enough money for people to go to the trouble of stealing, selling and buying it.
Another angle on the targeting of such a massive transaction processor is that criminals are moving upstream. Surely the merchant data available at Heartland is even more valuable than, say, the end-user data at TJX. One would think there are numerous ways to attempt to funnel cash away from a business, and that it may be far more profitable to do so than to target mere individuals. It should be interesting to see if any of Heartland's business partners are involved in subsequent incidents.
Endgame, hackers are still capable, and likely may always be, of vaulting the walls of defensive mechanisms that organizations have constructed to keep outsiders from getting to valuable back-end data. Nobody knows how this attack was carried out yet or how technically advanced or crude it might have been, whether it involved IT vulnerabilities or social engineering, but what we do know is that Heartland wasn't likely sitting on its laurels from a security perspective, considering PCI, etc.
No matter what we do, this will always be a cat-and-mouse game. It may come out that Heartland was in fact making some glaring mistake in defending its information, but whether it was or was not, just as with preventing physical bank robberies and business fraud, this isn't a game with an ending.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.