Largest Data Breach Disclosed During Inauguration

rmogull writes "Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration. Heartland processes over 100 million transactions a month, mostly from small to medium-sized businesses, and doesn't know how many cards were compromised. The breach was discovered after tracing fraud in the system back to Heartland, and involved malicious software snooping their internal network. I've written some additional analysis on this and similar breaches. It's interesting that the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems." One bit of good news out of this massive breach is that, according to Heartland's CFO, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." Heartland just put up a press release on the breach.

Suckers

[htnmmo (1454573)]

This is why I never go on the internet. It's just not safe.

Re:

[blair1q (305137)]

Neither do I. Unless I'm posing as you.

Missing Address

[wiz31337 (154231)]

"The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address," Baldwin said.

Because as we all know it is impossible to get someone's address by having only their full name and credit card number.

They are trying to down play a very serious incident by disclosing the breach on a day heavily focused on the inauguration. Then they have the nerve to say "don't worry they didn't get your address" as if to say someone smart enough to embed malicious software which gathers credit card numbers is not smart enough to find someone's address. Common!

Re:Missing Address

[n0dna (939092)]

Let's also not overlook that while some stores/merchants may have a policy to ask for address when doing Cardless Transactions, the processing houses (at least the ones I've used) will more than happily process the transaction successfully without anything more than the card number and the expiration date.

Some processors will refuse to process transactions within the month that the card expires, but you simply add 4 years to the date and it'll go through just fine.

The Credit Card companies have pushed very hard and very long to make credit transactions more painless than cash. You have to drop some safeguards to do that though.

Re:Missing Address

[sorak (246725)]

Hmmm...B.H. Obama. Jeffery, get out the phone book. We need to determine where this guy lives.

It's a blog post!

[Reality Master 201 (578873)]

The guy posted to his blog about it. On the same day as the inauguration.

Seriously, the tone of the summary is dumb as fuck. The press release is from today, as is the blog post. It's not even a fucking newspaper article.

Re:

[whoever57 (658626)]

The guy posted to his blog about it. On the same day as the inauguration.

Did he? I would RTFA, but I've given up trying to read white-on-black web pages. Seriously, whoever thought that dense white text on a black background is easily readable?

I'll agree that it is a little more readable on LCD monitors than it was on slightly old CRT monitors, but it still isn't easily readable.

what the bad guys didn't steal

[Gary W. Longsine (124661)]

Nearly every company that suffers a breach like this tries to assure people about what the bad guy's didn't manage to steal. Don't believe it. Even if it might be true at the strict technical level, it's still not relevant to the analysis of the severity of this issue. The bad guys already have databases full of names and addresses which they will cross reference against the data they stole.

"Actually quite difficult"?

[MozeeToby (1163751)]

The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address.

Because we all know that it's impossible to spoof the magnetic strip on the credit card.

This is why CC zero-liability is a good thing.

[brunes69 (86786)]

When stuff like this happens, it is not the consumers who end up paying, but Visa / MC - who end up putting pressure on these guys to get their act together.

Re:This is why CC zero-liability is a good thing.

[Chuck Chunder (21021)]

Some clueless person says this every time there is a story on credit cards.

Visa/MC do not end up paying. Merchants on the receiving end of fraudulent transactions do. Visa/MC may even profit from it as the fees they charge merchants for chargebacks can be quite steep.

Re:

[javelinco (652113)]

And? Most of the time, the reason the chargeback happened is because the merchant didn't bother to follow procedures - they didn't validate the identity of the person using the CC.

Re:

[Todd Knarr (15451)]

Save that Visa and Mastercard rules prohibit the merchant from validating the identity of the person using the credit card. For instance, a merchant is prohibited from requiring the customer to present ID (such as a driver's license) before they'll take the card. If a merchant refuses to take cards without identification, Visa/MC will terminate their merchant account.

Re:

[Achromatic1978 (916097)]

Not quite. The merchant agreement typically states that the merchant cannot use ID to validate the identity ONLY for card purchases. If they check ID for check purchases, too, they'd typically be free to do so. It's essentially "you cannot do anything that makes it more inconvenient to the customer to purchase via our card than via other methods".

who pays for security ?

[rs232 (849320)]

"When stuff like this happens, it is not the consumers who end up paying, but Visa / MC - who end up putting pressure on these guys to get their act together"

It's the consumers who pay for it with higher charges to pay for things like the chip-and-pin upgrade. Similar to how the consumers pay for shop-lifting ..

solution to CC breeches ..

[rs232 (849320)]

What's needed is a totally new kind of online financial transaction system. One that don't use card numbers. A dongle on the client connects to the server generates a one-time session key,and identifies itself to the server and displays a random Pin code, the customer then types it in to verify the transaction. The session is encrypted and the data sent can only be used for the one transaction, no repeat man-in-the-middle hacks ..

Re:

[ducomputergeek (595742)]

Please mod parent up. I have mod points, but posted elsewhere. Having just gone through PCI compliance (which is frankly a joke), there needs to be a better system out there.

why were they even

[bugs2squash (1132591)]

storing this information ?

Re:why were they even

[ducomputergeek (595742)]

Because they are the ones processing the transactions. We don't use heartland, but when take online orders through our website, we don't store the credit card information, our CC Processor does. The processors are the one that actually run the transactions, take money from the customers account, take a percentage, then deposit to the merchants account. And they have to keep records of all that.

In order for CC payment to work someone has to store that data somewhere.

Re:

[cbiltcliffe (186293)]

I don't think they were necessarily storing it, from the press release. To me, it basically says a network sniffer picked up network traffic on the wire. That can happen whether you store the info or not.

Card not present transactions

[CmdrPorno (115048)]

This is BS. Anyone with a card terminal can key the number in, or the card could be cloned. I discovered that FIA categorizes keying the number into the terminal as a "card present" transaction, when I tried to dispute an unrecognized charge. They then use this as a reason that the charge was legitimate, even when the card was not in fact present.

First in a long line of discoveries to come

[WillAffleckUW (858324)]

Those who claim to be perfect but never admit mistakes usually are covering up for massive mistakes.

And the missing million emails we know of are just the observable symptom, as are the transactions in this health data breach.

The old truisms of data security still apply:

1. It's usually insiders that provided or passed on information used to get access.

2. Those who cover up problems only create even larger problems, due to the system of trust.

3. You can stop 99 percent of attacks with reasonable security measures, but a determined attacker willing to use human intelligence methods will almost always get through the other 1 percent - the trick is knowing what measures will dissuade the 99 percent and implement those, and use reporting to discover the other 1 percent instead of measures that will be defeated anyway.

Re:WTF???

[EvanED (569694)]

I would say it may have quite a lot to do with it... it's either a pretty big coincidence, or they are trying to bury the news by releasing it when the networks actually have something else to report on.

What's your bet on?

Re:WTF???

[idiotnot (302133)]

Same reason Clear Channel laid off 8% while this was going on. :-)

Re:WTF???

[fuzzyfuzzyfungus (1223518)]

Yeah, but that was good news...

Re:

[RiotingPacifist (1228016)]

Thats nothing a certain middle eastern country broke it's fragile ceasefire, the night of the US election, that was more than just a good time to leak the news. TBH im surprised that a UK official got in trouble for saying 9/11 was a good day to get rid of bad news, this shit has been going on for years.

Re:WTF???

[amRadioHed (463061)]

The implication is that they timed the announcement to occur when no one is paying attention.

Re:WTF???

[idontgno (624372)]

[Heartland Payment Systems President and CFO] Baldwin said Heartland worked to disclose the breach last week.

"Due to legal reviews, discussions with some of the players involved, we couldn't get it together and signed off on until today," Baldwin said.

"Legal reviews": "Holy crap, we're gonna get our butts sued off if this breach becomes a big news story! You have to delay this until we can start a war or something to distract the press!"

"Will the inauguration hype of the first African-American President of the United States work as a distraction?"

"Brilliant!"

Re:WTF???

[bugs2squash (1132591)]

The breach happened last year. What's the betting that the first customers know about it is when faudulent activity is showing up on their credit cards.

The first instinct of Heartland is to save itself and the first instinct of the banks will be that it can rate jack its customers if the new activity has put them overlimit.

Only after leaking of the news is inevitable and can no longer be delayed will Heartland grudgingly try to sneak it out under the radar and then in a general, untargeted sense, not directly to the customers involved. Nothing will be done to avoid spreading the pain to a card holder or to a vendor.

I dare say most of the legal wrangling was in how to spin this as a justification to claim from TARP.

Re:WTF???

[jdoverholt (1229898)]

Incidentally, I got a call this morning about an hour before noon EST from Chase. They said they "received information" that my credit card information was compromised. The only suspicious charge was from November, which I didn't notice on my own. This is also the only time Chase has done anything but screw me, so I was pleasantly surprised that they were dealing with it so well. Now I see this and think "hey, I'm part of the largest ___ in history!" Sweet.

Re:WTF???

[tobiasly (524456)]

Same thing happened to me back in December. I too have a Chase credit card. My card got declined on a couple purchases so I called them about it. They knew exactly which charges were fraudulent and had already reversed them and closed the card so they could send another with a new number. Interesting that the charges were rather small.. a $5 Netflix charge, maybe a couple $20 or $30 charges, and out of the dozens of legitimate charges per month my wife and I make, they knew which ones were bogus.

Re:WTF???

[oldspewey (1303305)]

Today. During the inauguration. WTF??? What does the inauguration have to do with this?

Well, somebody who is inclined toward cynicism might conclude that the company deliberately chose to release this information when public attention would be diverted elsewhere.

Re:

[canUbeleiveIT (787307)]

Well, somebody who is inclined toward cynicism might conclude that the company deliberately chose to release this information when public attention would be diverted elsewhere.

Ahh...now I get it. Still, there was that plane that landed in the Hudson a few days back, yesterday was MLK day, the Super Bowl will be in a couple of weeks. Not to mention that it would seem that it would be in their best interests to get the word out to minimize losses.

Re:WTF???

[idontgno (624372)]

Not to mention that it would seem that it would be in their best interests to get the word out to minimize losses.

Oh, they've already got that covered:

Baldwin said it was not appropriate for Heartland to offer affected consumers credit protection or other identity theft protection services.

"Identity theft protection is appropriate when there is enough personal information lost that identity theft is possible," he said. "In this case, the amount of information we know they did not get is long enough that except in very circumscribed cases identity theft is just not possible.

In other words, "Yeah, technically it was a breach, but you know, not enough data got released for us to actually be provably liable. So if your CC gets raped, you know, it's not our fault. Really. Trust us. ;)"

In related news, now we know what happened to the Iraqi Information Minister: He changed his name and became President and CFO of a large credit card payment processing company.

Re:WTF???

[Bill, Shooter of Bul (629286)]

No, they are liable and are going to pay through the nose, but not for "identity theft". They will be responsible for improperly securing their network and permitting the theft of the cards. But identity theft is a different beast. No one will be able to sign up for new credit cards and or loans in the names of the people whose data was compromised.

Re:

[Ambiguous Coward (205751)]

All of those other incidents (MLK day, super bowl, etc.) are in passing. They are temporary, at best. The inauguration is going to echo through the media for a loooong time to come. Even if someone publicly calls them out on this (more than just on /.) and there is an attempt to generate an uproar over this, in the end, the inauguration will far outweigh the breach when it comes to face-time in the news.

I'm the cynical type, and I reckon they succeeded at hiding this one in plain sight.

Re:WTF???

[Ambiguous Coward (205751)]

Well, somebody who is inclined toward reality

No need to thank me.

Also, FTFA:

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn't until last week that investigators uncovered the source of the breach...

Meaning they knew about it long enough to hire some forensics teams, do the research, figure out where the breach came from, etc. and they finished all that up last week...and then decided to wait until NOON today to release the news to the public? Sorry, but that's plain bullshit, no cynicism involved. If they were interested in disclosure, they would've released the news sooner. At the very latest, they would've released it as soon as they found out how it happened (so they could say they had already closed the breach.)

Instead, they wait until noon (they're a New Jersey company) when the inauguration is happening? Why not sooner in the day? Why wait until what would arguably be lunch time usually? Who discloses breaches at lunch? Answer: nobody. On the other hand, who discloses breaches during a HUGE national (and arguably international) event? Answer: someone trying to hide something.

Again, I say inclined toward reality, not cynicism.

Re:

[LordSnooty (853791)]

The point is still valid, whilst on a normal day the news networks might've been following up the news, gathering info, interviewing victims, instead all their resources are working on the Coronation, er I mean inauguration.

My own government is guilty of the very same [bbc.co.uk] - "a good day to bury bad news" as the infamous leaked e-mail went. As he said, rooted in reality.

Re:

[Ambiguous Coward (205751)]

My comments were based on the article itself. What more do you expect? The article claims the disclosure occured during the inauguration. Regardless, waiting for inauguration day is "interesting" enough.

Also, just a little heads up: "nothing to do with reality" and "incorrect on the point of exact timing" are not synonymous. It will help lend credence to your position in the future if you learn the difference.

Re:WTF???

[Bryan Ischo (893)]

"Researcher says Linux is better than Windows on Pedantic Asshole day."

There, is that better?

Re:WTF???

[idontgno (624372)]

And Linux is always better than Windows on Slashdot, because every day is Pedantic Asshole day here!

Re:

[philspear (1142299)]

If that was their plan, then that's a foolish one. It would have to be an EXTREMELY slow news day for this to get picked up on by the major news outlets, and even slower for most viewers to bother understanding it. And it's going to be picked up by people who are interested, like here, reguardless.

Burying it effectively would be waiting for something like the newest release of some major open source software, or waiting until China or Australia or other nation did something major about censorship.

Re:

[Chabo (880571)]

Hey, that's mine!

Re:First CC

[Janek Kozicki (722688)]

Then prove it - what is the security code on the back?

Re:

[Whuffo (1043790)]

And visiting that link brought up an "invalid security certificate" warning. Good old Microsoft - they can't even get their own servers set up right.

Re:

[jgtg32a (1173373)]

You do know that has nothing to do with the server itself right?

Re:

[rs232 (849320)]

"You do know that has nothing to do with the server itself right?"

Do you have any citations for that?

'A piece of malicious software [washingtonpost.com] planted on the company's payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company's retail clients'

Re:

[Kalriath (849904)]

And this is somehow anything to do with the server? We're talking about a payment processor, who has to comply with PCI DSS. One thing that requires is that the server managing payment data be isolated from all the client PCs, and run appropriate security software etc. If anything, this is Heartland's fault (and their PCI assessors, of course). Nothing to do with Microsoft, who for the most part make good servers (even if everything else sucks).

Re:

[Whuffo (1043790)]

Did you check the security certificate that is being used by that Microsoft site before posting? I'm sure you understand what role these certificates serve in relation to https connections.

Of course, the connection to their site might be being intercepted by aliens who are replacing a valid certificate with a bad one. Or maybe they're using an old skool coal fired server and forgot to shake down the clinkers.

I'll just use Occam's Razor here - and the simplest explanation is that that server is running Win

Re:

[Kalriath (849904)]

Actually, they can. It isn't invalid at all, it was merely issued by Microsoft's certification authority (which itself has a CA certificate issued by GTE CyberTrust). The problem is your browser (my Firefox 3 didn't even blink twice at it).