Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Report: Law Enforcement Closing In On Heartland Breach Perpetrator

Secret Service, DoJ reportedly pinpoint location of cybercriminal outside North America

The Secret Service has identified the prime suspect in the Heartland Payment Systems security breach, and the case has been turned over to the U.S. Department of Justice, according to a news report issued today.

Citing a source "close to the investigation," the trade publication Storefront Backtalk is reporting that law enforcement is closing in on the Heartland data thieves. The publication's source did not provide any additional information, but said the perpetrator's location has been "pinpointed" outside North America.

Heartland, which on Tuesday disclosed a massive data breach that potentially affects more than 100 million credit card transactions, did not make a statement about the law enforcement efforts, but it did issue a new statement on the case earlier today.

The statement from Robert Carr, founder, chairman, and CEO of Heartland Payment Systems, suggests the payment processing company might have found the problem sooner if there had been more sharing of security information among the companies in the market.

"I have talked to many payments leaders who are also concerned about the increasing success and frequency of cybercrime attacks," Carr said. "Up to this point, there has been no information sharing, thus empowering cybercriminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

Heartland's goal is to turn this event into something positive, Carr said. "Just as the Tylenol crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data -- and, therefore, businesses and consumers -- much more effectively."

Heartland's organization has "called on" more than 150,000 of its customers in the past three days, and has signed up 400 new merchants since the breach was disclosed, Carr said. As of 4 p.m. ET today, the company's stock was on the rise.

Many experts continue to speculate on why it took so long for Heartland to identify and disclose the breach. According to the Storefront Backtalk report, the payment processor revealed the breach was first discovered in late October or early November, whereas previous statements indicated that it was only in the fall. The company has had two outside forensics teams and the Secret Service working on the problem for more than two months, and yet the "sniffer" software used to collect the data was located only last week.

"It will be interesting to see how this incident pans out," says Rob Rachwald, Fortify's director of product marketing. "Our best guess is that the software was either installed by a sleeper, a rogue employee working inside the firm who passed the usual vetting procedures, or a direct systems attack followed by the insertion of a custom application on the processor's IT resources. "The $64,000 question, of course, is whether Heartland and the U.S. Secret Service will reveal the actual modus operandi of the fraudsters. I somehow think this will not happen." According to the news report, a Heartland spokesman did reveal that the sniffer software was "inactive" when it was finally discovered by the forensics experts. The spokesman did not say whether the software was inoperative, or simply dormant and waiting to be called on again by the criminals.

Other industry experts say the Heartland incident is a referendum on disclosure laws and on the Payment Card Industry Data Security Standard (PCI DSS), both of which were in effect at Heartland, but did not prevent the breach or the delay in reporting it.

"Congress needs to pass a data breach notification law that better protects consumer identities through stronger data security standards with strong encryption," says Bill Conner, president and CEO of data security vendor Entrust.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27621
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
CVE-2020-27620
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
CVE-2020-27619
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
CVE-2020-17454
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
CVE-2020-24421
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.