The story first came to light thanks to an article by Brian Krebs over at the Washington Post. The breach is likely so massive that Heartland set up a special Website at www.2008breach.com, which, by nature of sounding like last year's news, also seems like a convenient attempt to additionally obfuscate the seriousness of the situation. While Heartland denies it is attempting to hide the breach behind the inauguration, such denials sound about as sincere as Dick Cheney's congratulating Joe Biden.
Details are scarce, but based on Brian's article and the official press release we can discern some interesting facts about what might have happened. It appears the fraud was initially detected by Visa and MasterCard, then traced back to Heartland (similar to the CardSystems Solutions breach of 2004/2005). Heartland began an investigation, involved law enforcement, and discovered malicious software snooping card numbers on its network.
The installation of malicious software to sniff transactions also appeared in the TJX and Hannaford attacks -- two of the other largest data breaches we've seen. Although lost laptops and other media cause the most breach disclosures, it's clear these directed attacks result in the highest levels of fraud (not that we know for sure, of course, because tracking true fraud back to suspected breaches is always a daunting task, and one made ever more difficult by the lack of disclosure from the involved businesses, banks, and other parts of the payment system).
There are two lessons we should all immediately take from this incident:
- 1. Installation of malicious software to sniff payment information is an effective form of attack, and we need to evaluate our computers and communications channels on our payment systems to prevent it from happening.