Report: Law Enforcement Closing In On Heartland Breach Perpetrator

The Secret Service has identified the prime suspect in the Heartland Payment Systems security breach, and the case has been turned over to the U.S. Department of Justice, according to a news report issued today.

Citing a source "close to the investigation," the trade publication Storefront Backtalk is reporting that law enforcement is closing in on the Heartland data thieves. The publication's source did not provide any additional information, but said the perpetrator's location has been "pinpointed" outside North America.

Heartland, which on Tuesday disclosed a massive data breach that potentially affects more than 100 million credit card transactions, did not make a statement about the law enforcement efforts, but it did issue a new statement on the case earlier today.

The statement from Robert Carr, founder, chairman, and CEO of Heartland Payment Systems, suggests the payment processing company might have found the problem sooner if there had been more sharing of security information among the companies in the market.

"I have talked to many payments leaders who are also concerned about the increasing success and frequency of cybercrime attacks," Carr said. "Up to this point, there has been no information sharing, thus empowering cybercriminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

Heartland's goal is to turn this event into something positive, Carr said. "Just as the Tylenol crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data -- and, therefore, businesses and consumers -- much more effectively."

Heartland's organization has "called on" more than 150,000 of its customers in the past three days, and has signed up 400 new merchants since the breach was disclosed, Carr said. As of 4 p.m. ET today, the company's stock was on the rise.

Many experts continue to speculate on why it took so long for Heartland to identify and disclose the breach. According to the Storefront Backtalk report, the payment processor revealed the breach was first discovered in late October or early November, whereas previous statements indicated that it was only in the fall. The company has had two outside forensics teams and the Secret Service working on the problem for more than two months, and yet the "sniffer" software used to collect the data was located only last week.

"It will be interesting to see how this incident pans out," says Rob Rachwald, Fortify's director of product marketing. "Our best guess is that the software was either installed by a sleeper, a rogue employee working inside the firm who passed the usual vetting procedures, or a direct systems attack followed by the insertion of a custom application on the processor's IT resources. "The $64,000 question, of course, is whether Heartland and the U.S. Secret Service will reveal the actual modus operandi of the fraudsters. I somehow think this will not happen." According to the news report, a Heartland spokesman did reveal that the sniffer software was "inactive" when it was finally discovered by the forensics experts. The spokesman did not say whether the software was inoperative, or simply dormant and waiting to be called on again by the criminals.

Other industry experts say the Heartland incident is a referendum on disclosure laws and on the Payment Card Industry Data Security Standard (PCI DSS), both of which were in effect at Heartland, but did not prevent the breach or the delay in reporting it.

"Congress needs to pass a data breach notification law that better protects consumer identities through stronger data security standards with strong encryption," says Bill Conner, president and CEO of data security vendor Entrust.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message