Heartland, After The Hacking

The data breach at Heartland Payment Systems was a disaster for the company. But after picking up the pieces, the company is looking ahead to a more secure future.

Thomas Claburn, Editor at Large, Enterprise Mobility

October 6, 2009

4 Min Read

On January 20, 2009, Heartland Payment Systems reported discovering malicious software in its payment processing system, a security breach of potentially massive magnitude given that the company's handles 100 million transactions per month for more than 250,000 businesses.

While the monetary and data loses following from the penetration of Heartland's systems -- the compromise that lasted for months -- are still being determined, the financial impact on Heartland's stock price alone was devastating.

The breach, in conjunction with the economic downturn, led to the loss of about $500 million in shareholder value, more than three-quarters of the company's market capitalization, two months after the news was announced.

And then there's the cost of more than several dozen breach-related lawsuits filed against the company this year and related expenses.

According to slides presented in August at a National Retail Federation Conference by Robert O. Carr, Heartland's founder, chairman and CEO, the breach cost the company $32 million in legal fees, fines, settlements, and forensics during just the first half of the year.

But Heartland's stock has mostly recovered and its executives have hit the road to restore confidence in the nation's fourth largest payment processor.

At a security conference in San Francisco on Tuesday, hosted by vulnerability management company Qualys, Steven Elefant, Heartland's CIO, described the breach as a disastrous event for the company and likened it to the 1982 Tylenol murders in terms of the corporate crisis response that followed.

For Elefant, who began consulting for Heartland last December and then joined the company in January, the breach made it clear that industry needs to collaborate and share information. The bad guys, he said, are already doing that.

"The bad guys wake up every day and think about how they can destroy us," he said.

To help financial companies communicate, Heartland began working with the Financial Services Information Sharing and Analysis Center (FS-ISAC), a non-profit organization formed in 1999 in response to a Presidential Directive to share information about financial threats, to create the Payments Processing Information Sharing Council (PPISC), an information sharing group specifically for the payment processing industry.

"We firmly believe that knowledge of security threats should not be viewed as a competitive advantage," said Elefant, adding, "The good guys need to create a different mindset and a different culture."

Heartland also believes in encryption. Following a pilot test started in June, the company expects to roll out end-to-end, or data field, encryption for its payment processing network before the end of the year.

"The idea here is to render the data unusable," said Elefant. "If the bad guys get in, that data is not going to be useful for them."

Elefant's message about the virtues of encryption can be heard elsewhere too. On Monday, Visa released a set of guidelines for implementing data field encryption.

"While no single technology will completely solve for fraud, data field encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach," said Eduardo Perez, global head of data security at Visa in a statement.

Heartland has also taken to manufacturing its own payment terminals because none of the existing payment terminals were sufficiently secure, said Elefant.

Heartland's E3 terminals implement an identity-based encryption scheme that generates new cryptographic keys every day, to avoid situations where a terminal's hardware key is compromised and any subsequent data is accessible.

"We feel this is the direction that the industry really needs to go," said Elefant.

And that direction leads to a security model that includes both hardware and software. "We fundamentally believe there is no such thing as safe software anymore," said Elefant.

Elefant also supports harmonizing international laws on cybercrime. Although Albert Gonzalez of Miami, Fla., was indicted for hacking to Heartland and many other companies in August and later that month pleaded guilty, Elefant says that the criminal gang behind the attack remains out of reach overseas.

"We know exactly who are the people in Russia who came after us, but the Secret Service can't go after them because they're in Russia and they're unassailable," he said.

Elefant believes the industry needs to work together to make security a priority. "It takes time to make changes," he said. "The perfect storm is happening right now."

Get all the data from this year's InformationWeek 500 survey free for a limited time. Our report examines business and technology best practices as well as IT investment trends among the nation's most innovative IT users. It also provides industry comparisons against which you can benchmark your company's strategies. Download the report here (registration required).

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights