Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Heartland Struggles To Measure Extent Of Massive Security Breach

Data breach could be industry's biggest ever, experts say

In what some experts are calling the largest security breach ever, Heartland Payment Systems yesterday disclosed that intruders hacked into the computers it uses to process 100 million payment card transactions per month for 175,000 merchants.

Robert Baldwin, Heartland's president and CFO, told reporters that the intruders had access to Heartland's system for "longer than weeks" in late 2008. The number of victims is unknown. "We just don't have the information right now," Baldwin said.

Tech security experts say the breach could surpass the record set by retail giant TJX, which lost 94 million customer records to hackers in 2007. With more than 100 million transactions per month, Heartland could discover that several months' worth of transactions were captured, says Michael Maloof, chief technology officer at TriGeo Network Security.

Heartland processes card payments for restaurants, retailers, and other merchants. It discovered the hack last week after Visa and MasterCard notified it of suspicious transactions stemming from accounts linked to its systems. Investigators then found the data-stealing program planted by the thieves.

"Our discussions with the Secret Service and Department of Justice give us a pretty good indication that this is part of a group that appears to have done security breaches at other financial institutions," Baldwin said. "This is a very sophisticated attack."

According to published reports, attackers managed to slip keylogger and sniffer programs onto the network, enabling them to record keystrokes and collect unencrypted data in transit. Most of the lost data is probably credit card numbers, names, and expiration dates, which could be used to create counterfeit cards, experts say.

Several reports indicate that Heartland had complied with Payment Card Industry (PCI) security standards and was using strong encryption, but the keylogger collected the data before it was encrypted. Some reports indicate that the breach began as early as May 2008, and may have been detected months ago.

Experts say the keylogger attack might have gone undetected even if Heartland was using a variety of off-the-shelf security tools. "Most security technologies in use today are about looking for the explicitly -- and in most cases already known to be -- bad. And that leaves a lot of room for error," says Chris King, director of strategic marketing at firewall vendor Palo Alto Networks.

Once it sorts out the matter, Heartland plans to notify each victim in compliance with data-loss disclosure laws in more than 30 states, he says.

"It is quite unlikely they will be able to confidently determine whose data was lost," says Michael Argast, senior security analyst at Sophos. "If they have great logging, it is possible, but the nature of any compromise makes it difficult to have assurance on the event. At worst, it could be every customer who has used their infrastructure since the breach. "The reality is cleaning up the mess could be potentially much more expensive than any fines or penalties. For example, issuing a new card costs around $30. Multiplied by 100 million cards, $3 billion is much more than the scope of any fines. In reality, that could bankrupt the business."

Heartland's disclosure coincides with reports of heightened criminal activities involving stolen payment card numbers. Security firm CardCops has been tracking a 20 percent year-over-year increase in Internet chat room activity where hackers test batches of payment card numbers to make sure they're active. "The numbers could have come from a processor, like Heartland, or some other source that has access to a lot of customer data but is not a retailer," says Dan Clements, president of CardCops president.

Also, Forcht Bank in Kentucky last week began issuing replacement debit cards to 8,500 patrons due to reports of fraudulent card activity. "There are several other banks affected, and this is not isolated to Forcht Bank customers," the bank said in a Jan. 12 statement to customers.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35519
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel i...
CVE-2021-20204
PUBLISHED: 2021-05-06
A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbi...
CVE-2021-30473
PUBLISHED: 2021-05-06
aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
CVE-2021-32030
PUBLISHED: 2021-05-06
The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_chec...
CVE-2021-22209
PUBLISHED: 2021-05-06
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.