Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/6/2014
02:45 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Heartland CEO On Why Retailers Keep Getting Breached

Robert Carr, chairman and CEO of Heartland Payment Systems, says lack of end-to-end encryption and tokenization were factors in recent data breaches.

Heartland Payment Systems chairman and CEO Robert Carr could be considered a rare breed of executive these days. He's been outspoken about the massive data breach the firm suffered on his watch in 2008 that exposed 130 million US debit and credit card accounts -- the largest breach ever recorded at the time. And in a new breach era when some corporate executives such as former Target CEO Gregg Steinhafel have lost their jobs over high-profile breaches, Carr is still firmly at the helm of the payment processing firm.

Carr led Heartland's adoption of technologies like end-to-end encryption, tokenization, and EMV chip-and-pin payment card technology to shore up its security after the breach. "We took a position in 2009 that we're not going to clam up and try to point the fingers at somebody else," he told Dark Reading today. "That most definitely helped us a lot."

He has watched the wave of record-breaking retail breaches over the past year, and he says there's a common theme. "What's happening in the meantime is, even though solutions are being introduced, encryption being one we [adopted]… a lot of companies haven't implemented the basics, and they are paying the price for it."

Big data breaches keep occurring because companies aren't investing in the proper security, such as end-to-end encryption and tokenization, Carr says. "The people responsible for spending the money necessary to be safe aren't spending the money. They don't take it seriously. What I've been saying for years is that it's going to continue to get worse, because the pool of victims not doing anything or doing enough is shrinking slowly."

Merchants that think they're too small to be a target will be hit as well, he says, especially as the Tier 1 merchants continue to step up their security game and raise the bar for cybercriminals.

Heartland Payment Systems chairman and CEO Robert Carr.
Heartland Payment Systems chairman and CEO Robert Carr.

Heartland paid out hundreds of millions of dollars to banks and payment card brands in the wake of its breach. Carr contends that the breached company itself should be held liable, not the payment card firms or other partners. The Heartland breach "was our responsibility," he says. "I think liability needs to be held by the breached party. Otherwise, there's no other way to police anything."

Blaming MasterCard and Visa for not phasing out magnetic stripe cards a long time ago is a separate argument. "Today, if a merchant doesn't do the minimum work to avoid a breach, then they are going to get breached. It's just a matter of when."

EMV or chip-and-pin payment card technology, end-to-end encryption, and tokenization are the key technologies merchants should be adopting. "These solutions are pretty readily available" today.

The move to chip-and-pin payment card technology -- where smart cards with embedded microchips authenticate the user's identity -- "is forcing merchants to change out their hardware and thereby spend money to get the equipment they need to get the [card] data out of their systems," he says. "If you make that hardware change, [it's] insane if you don't also solve the encryption issue. Put tokenization in to protect yourself on the backend," as well.

A lot of executives have taken the less expensive option of neither swapping out their payment hardware nor encrypting the full data transaction. "If the bad guys are intercepting transactions on the way to CPU, if you don't encrypt those and get that data out of the clear, you don't have a solution. But a lot of merchants have bought into that."

That's not to say Carr doesn't have a few regrets about how his firm handled its data breach and the aftermath, where malware infiltrated the company's payment processing system. "There are a lot of things I wish could have happened differently. Frankly, I don't know what we could have done differently."

He cited a forensics assessment his company passed with flying colors just before the breach. "We were given a clean bill of health the Friday before our breach" in the exam. "We found the problem, not the forensics teams. Three forensics teams could not find the problem."

For 90 days, Heartland went back and forth with MasterCard and Visa over who was actually breached. He says there was plenty of confusion during that period, and Heartland wasn't looped in on all the investigation specifics. Heartland later confirmed that the breach had begun in June 2008 and ended sometime that August, but the company didn't learn of the attack until January 2009.

"Everybody got a lot smarter about" handling these breach investigations since then, he says.

Carr occasionally gets asked for advice from newly breached retailers. "I tell them we're a processor, you're a merchant. Your situation is completely different from ours. But here's what we did -- take what makes sense for you."

[Yet another point-of-sale (POS) breach at a major retail chain, and the victim adds encryption. Read Breached Retailers Harden PoS, For Now .]

Meanwhile, Carr is skeptical that cyberinsurance is the answer for protecting firms from breach costs. "It gives a false sense of security. Read the exclusions page."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 3:46:40 PM
Re: NOT blaming card issuers
@Kelly  Oh yeah, I know. And maybe he's just protecting his own. But it's worth noticing whenever anyone says "it's not their fault, it's ours."  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/6/2014 | 3:40:41 PM
Re: NOT blaming card issuers
Yes. But remember, Heartland isn't a retailer--it's a payment processor, so it's more in the financial services side of the world.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 3:24:37 PM
NOT blaming card issuers
It's interesting that he says that his company needs to take responsibility, instead of putting blame on card issuers for not using newer technology. Because the National Retail Federation takes the opposite approach, that's for sure:  https://nrf.com//news/four-big-lies-about-data-security  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/6/2014 | 3:23:55 PM
Re: What about transparency?
It was a very candid -- erh...transparent -- interview. Hopefully after he reads it, he can give a little value add and comment about his views on transparency.  
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/6/2014 | 3:21:45 PM
Re: What about transparency?
Good question, Marilyn. Unfortunately, I didn't get to ask him about that, but I wish I had. He had some very frank insight, as you can see, about the problems retailers are having that are leading to breaches.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/6/2014 | 3:17:00 PM
What about transparency?
Good interview Kelly. Curious to know whether the transparency came up during your interview. Did Carr have any advice for retailers about disclosure after the breach is discovered or reported?
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
10/6/2014 | 3:14:07 PM
Wow
Well I gotta say, I'm surprised. I've yet to hear a CEO with so much understanding of security technology. Heck, I've met CIOs with less understanding. 
<<   <   Page 2 / 2
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16680
PUBLISHED: 2019-09-21
An issue was discovered in GNOME file-roller before 3.29.91. It allows a single ./../ path traversal via a filename contained in a TAR archive, possibly overwriting a file during extraction.
CVE-2019-16681
PUBLISHED: 2019-09-21
The Traveloka application 3.14.0 for Android exports com.traveloka.android.activity.common.WebViewActivity, leading to file disclosure and XSS.
CVE-2019-16677
PUBLISHED: 2019-09-21
An issue was discovered in idreamsoft iCMS V7.0. admincp.php?app=members&amp;do=del allows CSRF.
CVE-2019-16678
PUBLISHED: 2019-09-21
admin/urlrule/add.html in YzmCMS 5.3 allows CSRF with a resultant denial of service by adding a superseding route.
CVE-2019-16679
PUBLISHED: 2019-09-21
Gila CMS before 1.11.1 allows admin/fm/?f=../ directory traversal, leading to Local File Inclusion.