Heartland says it has fixed security problem

We reported yesterday about what may well be the largest data breach, as Heartland Payment Systems, the sixth-largest payment processor in the United States, admitted that criminals had secretly installed spying software on its computer network (21 January 2009 HS Daily Wire).

AP reports that Heartland now says it has closed the security hole that allowed criminals to infiltrate their systems, but the matter is not yet settled. The company will likely have to pay big penalties to banks to reimburse the cost of issuing new cards, and analysts say the intrusion could even threaten the company’s survival if the big card brands decide to cut off Heartland from connecting to their networks. In 2005, CardSystems Solutions, went under after a data breach in which 40 million credit card accounts were compromised and the big card brands stopped doing business with it.

Heartland says it does not yet know how much data was stolen, since the malicious program was capturing data as it flowed across the network, and in that type of intrusion it is hard to figure out how much data was snatched in transit by the interlopers. The potential damage could be very large because Heartland processes 100 million transactions a month, mostly for small to medium-sized businesses. The company says the average merchant in its network does about $350,000 a year in Visa and MasterCard transactions.

Experts told AP that it is reasonable to assume the worst until Heartland gets its arms around the size of the problem. “Data breaches are like pregnancy — you can’t be partly pregnant, and once your data has been compromised, you have to assume all your data’s been compromised, unless you can prove otherwise,” said Michael Argast, security analyst with the Sophos security software firm.

In a breach involving a single merchant, the retailer risks losing its customers’ confidence, but a payment processor which is breached risks losing the confidence of its merchants, which Argast said was much more significant. Consumers typically do not have to pay for fraudulent charges on their accounts, whereas merchants can be saddled with big costs when their businesses are the victims of fraud.

One interesting point: Industry’s security requirements call for payment processors to have separate networks — one for the financial transactions, and another for their general corporate tasks. Heartland will not say how the malware got into the network that processes financial transactions or when it was planted there. “If you’re actually able to compromise that protected network, you’re in, man — you have the keys to the kingdom,” said Mike Rothman, senior vice president of strategy for security software vendor eIQnetworks Inc. “I presume they were able to sniff a large part of the payment traffic at the time the network was compromised.”

AP quotes Robert Baldwin, Heartland’s president and chief financial officer, to say that the thieves accessed a part of Heartland’s network that handles transactions for 175,000 of the 250,000 merchants with which the company works. He said the program slipped past Heartland’s antivirus software and was able to read data in unencrypted form as it was passed from Heartland to the card brands. Baldwin said Heartland uses heavy encryption, which means its data is cloaked in special computer coding so unauthorized computers can not read it, but added that the data has to be sent in unencrypted form to the card brands, which is where the criminals were able to spot it.

“Unfortunately the bad guys are very, very good,” Baldwin said. “The malware we encountered did not, and does not, get very well captured by antivirus software, so it’s a challenge we’re going to have to keep working as an industry to combat.”