05:10 PM

Report: Law Enforcement Closing In On Heartland Breach Perpetrator

Secret Service, DoJ reportedly pinpoint location of cybercriminal outside North America

The Secret Service has identified the prime suspect in the Heartland Payment Systems security breach, and the case has been turned over to the U.S. Department of Justice, according to a news report issued today.

Citing a source "close to the investigation," the trade publication Storefront Backtalk is reporting that law enforcement is closing in on the Heartland data thieves. The publication's source did not provide any additional information, but said the perpetrator's location has been "pinpointed" outside North America.

Heartland, which on Tuesday disclosed a massive data breach that potentially affects more than 100 million credit card transactions, did not make a statement about the law enforcement efforts, but it did issue a new statement on the case earlier today.

The statement from Robert Carr, founder, chairman, and CEO of Heartland Payment Systems, suggests the payment processing company might have found the problem sooner if there had been more sharing of security information among the companies in the market.

"I have talked to many payments leaders who are also concerned about the increasing success and frequency of cybercrime attacks," Carr said. "Up to this point, there has been no information sharing, thus empowering cybercriminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

Heartland's goal is to turn this event into something positive, Carr said. "Just as the Tylenol crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data -- and, therefore, businesses and consumers -- much more effectively."

Heartland's organization has "called on" more than 150,000 of its customers in the past three days, and has signed up 400 new merchants since the breach was disclosed, Carr said. As of 4 p.m. ET today, the company's stock was on the rise.

Many experts continue to speculate on why it took so long for Heartland to identify and disclose the breach. According to the Storefront Backtalk report, the payment processor revealed the breach was first discovered in late October or early November, whereas previous statements indicated that it was only in the fall. The company has had two outside forensics teams and the Secret Service working on the problem for more than two months, and yet the "sniffer" software used to collect the data was located only last week.

"It will be interesting to see how this incident pans out," says Rob Rachwald, Fortify's director of product marketing. "Our best guess is that the software was either installed by a sleeper, a rogue employee working inside the firm who passed the usual vetting procedures, or a direct systems attack followed by the insertion of a custom application on the processor's IT resources. "The $64,000 question, of course, is whether Heartland and the U.S. Secret Service will reveal the actual modus operandi of the fraudsters. I somehow think this will not happen." According to the news report, a Heartland spokesman did reveal that the sniffer software was "inactive" when it was finally discovered by the forensics experts. The spokesman did not say whether the software was inoperative, or simply dormant and waiting to be called on again by the criminals.

Other industry experts say the Heartland incident is a referendum on disclosure laws and on the Payment Card Industry Data Security Standard (PCI DSS), both of which were in effect at Heartland, but did not prevent the breach or the delay in reporting it.

"Congress needs to pass a data breach notification law that better protects consumer identities through stronger data security standards with strong encryption," says Bill Conner, president and CEO of data security vendor Entrust.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/20/2018
City of Atlanta Hit with Ransomware Attack
Dark Reading Staff 3/23/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.