Largest Data Breach Disclosed During Inauguration

rmogull writes "Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration. Heartland processes over 100 million transactions a month, mostly from small to medium-sized businesses, and doesn't know how many cards were compromised. The breach was discovered after tracing fraud in the system back to Heartland, and involved malicious software snooping their internal network. I've written some additional analysis on this and similar breaches. It's interesting that the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems." One bit of good news out of this massive breach is that, according to Heartland's CFO, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." Heartland just put up a press release on the breach.

Re:WTF???

[amRadioHed]

The implication is that they timed the announcement to occur when no one is paying attention.

what the bad guys didn't steal

[Gary W. Longsine]

Nearly every company that suffers a breach like this tries to assure people about what the bad guy's didn't manage to steal. Don't believe it. Even if it might be true at the strict technical level, it's still not relevant to the analysis of the severity of this issue. The bad guys already have databases full of names and addresses which they will cross reference against the data they stole.

"Actually quite difficult"?

[MozeeToby]

The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address.

Because we all know that it's impossible to spoof the magnetic strip on the credit card.

Re:WTF???

[idiotnot]

Same reason Clear Channel laid off 8% while this was going on. :-)

Re:Missing Address

[n0dna]

Let's also not overlook that while some stores/merchants may have a policy to ask for address when doing Cardless Transactions, the processing houses (at least the ones I've used) will more than happily process the transaction successfully without anything more than the card number and the expiration date.

Some processors will refuse to process transactions within the month that the card expires, but you simply add 4 years to the date and it'll go through just fine.

The Credit Card companies have pushed very hard and very long to make credit transactions more painless than cash. You have to drop some safeguards to do that though.

Re:This is why CC zero-liability is a good thing.

[Chuck Chunder]

Some clueless person says this every time there is a story on credit cards.

Visa/MC do not end up paying. Merchants on the receiving end of fraudulent transactions do. Visa/MC may even profit from it as the fees they charge merchants for chargebacks can be quite steep.

Re:why were they even

[ducomputergeek]

Because they are the ones processing the transactions. We don't use heartland, but when take online orders through our website, we don't store the credit card information, our CC Processor does. The processors are the one that actually run the transactions, take money from the customers account, take a percentage, then deposit to the merchants account. And they have to keep records of all that.

In order for CC payment to work someone has to store that data somewhere.

Re:WTF???

[Bill, Shooter of Bul]

No, they are liable and are going to pay through the nose, but not for "identity theft". They will be responsible for improperly securing their network and permitting the theft of the cards. But identity theft is a different beast. No one will be able to sign up for new credit cards and or loans in the names of the people whose data was compromised.

Card not present transactions

[CmdrPorno]

This is BS. Anyone with a card terminal can key the number in, or the card could be cloned. I discovered that FIA categorizes keying the number into the terminal as a "card present" transaction, when I tried to dispute an unrecognized charge. They then use this as a reason that the charge was legitimate, even when the card was not in fact present.

Re:why were they even

[cbiltcliffe]

I don't think they were necessarily storing it, from the press release. To me, it basically says a network sniffer picked up network traffic on the wire. That can happen whether you store the info or not.

Re:This is why CC zero-liability is a good thing.

[Todd Knarr]

Save that Visa and Mastercard rules prohibit the merchant from validating the identity of the person using the credit card. For instance, a merchant is prohibited from requiring the customer to present ID (such as a driver's license) before they'll take the card. If a merchant refuses to take cards without identification, Visa/MC will terminate their merchant account.

Re:Suckers

[Anonymous Coward]

Except that the large majority of payments that they process are from actual storefronts, not internet transactions. You're not safe anywhere, sucker.

Re:This is why CC zero-liability is a good thing.

[Achromatic1978]

Not quite. The merchant agreement typically states that the merchant cannot use ID to validate the identity ONLY for card purchases. If they check ID for check purchases, too, they'd typically be free to do so. It's essentially "you cannot do anything that makes it more inconvenient to the customer to purchase via our card than via other methods".

Re:WTF???

[RiotingPacifist]

Thats nothing a certain middle eastern country broke it's fragile ceasefire, the night of the US election, that was more than just a good time to leak the news. TBH im surprised that a UK official got in trouble for saying 9/11 was a good day to get rid of bad news, this shit has been going on for years.

Re:WTF???

[LordSnooty]

The point is still valid, whilst on a normal day the news networks might've been following up the news, gathering info, interviewing victims, instead all their resources are working on the Coronation, er I mean inauguration.

My own government is guilty of the very same [bbc.co.uk] - "a good day to bury bad news" as the infamous leaked e-mail went. As he said, rooted in reality.

Re:WTF???

[jdcope]

Cover up. Hell, even here in Portland, Oregon, the new mayor held a press conference today and said he lied about a sexual relationship with a teen boy.