Largest Data Breach In History Tries To Hide Behind Inauguration

Heartland Payment Systems, a credit card processor out of Princeton, N.J., that mostly supports small and midsize businesses, announced during today's presidential inauguration that it was the victim of a massive data breach that could include more than 100 million credit card numbers.Heartland is a publicly traded company that says it is one of the five largest U.S. credit card processors (in terms of volume), handling more than 4 billion transactions a year and more than 100 million per month. The numbers are staggering, but the full scope of the breach is unknown. The data lost included magnetic stripe content only, and not addresses.

The story first came to light thanks to an article by Brian Krebs over at the Washington Post. The breach is likely so massive that Heartland set up a special Website at www.2008breach.com, which, by nature of sounding like last year's news, also seems like a convenient attempt to additionally obfuscate the seriousness of the situation. While Heartland denies it is attempting to hide the breach behind the inauguration, such denials sound about as sincere as Dick Cheney's congratulating Joe Biden.

Details are scarce, but based on Brian's article and the official press release we can discern some interesting facts about what might have happened. It appears the fraud was initially detected by Visa and MasterCard, then traced back to Heartland (similar to the CardSystems Solutions breach of 2004/2005). Heartland began an investigation, involved law enforcement, and discovered malicious software snooping card numbers on its network.

The installation of malicious software to sniff transactions also appeared in the TJX and Hannaford attacks -- two of the other largest data breaches we've seen. Although lost laptops and other media cause the most breach disclosures, it's clear these directed attacks result in the highest levels of fraud (not that we know for sure, of course, because tracking true fraud back to suspected breaches is always a daunting task, and one made ever more difficult by the lack of disclosure from the involved businesses, banks, and other parts of the payment system).

There are two lessons we should all immediately take from this incident:

1. Installation of malicious software to sniff payment information is an effective form of attack, and we need to evaluate our computers and communications channels on our payment systems to prevent it from happening.

2. Trying to hide a major breach during one of the most important days in recent history still won't keep you out of the headlines, and appears more pathetic than calculated.

We have not confirmed Heartland's PCI certification status.

Rich Mogull is founder of Securosis LLC and a former security industry analyst for Gartner Inc. Special to Dark Reading.