Feb. 4, 2009
The complaints started in the fall of 2008.
It was around late October when Heartland Payment Systems, a Princeton, N.J.-based company that provides payment processing for roughly 200,000 U.S. businesses, was contacted by Visa and MasterCard about reports of fraudulent activity taking place on cards it had processed.
"Everybody was trying to put the puzzle pieces together," said Jason Maloni, spokesman for Heartland. "We immediately engaged a forensic investigation firm that set about looking at our system from top to bottom."
Maloni claims officials at Heartland didn't believe the company had any security problems until the week of Jan. 12, when forensic investigators uncovered carefully hidden malware on Heartland's servers. Its purpose was to identify private cardholder data, record it – and presumably – transmit it to an unknown third party for criminal use.
"The good news is that the software has been removed," Maloni said. "Unfortunately, the bad news is that key data was compromised during a period in the latter part of 2008."
Too many unknowns
At this point, it's difficult to judge just how bad that bad news is. Maloni says his company processes roughly 100 million transactions per month, 40 percent of which are for small-to-medium-sized restaurants.
It's not known how long the malware was on the server, nor whether it was able to transmit data to its intended third party – although Maloni admits the complaints of fraudulent card activity received by Visa and MasterCard would seem to indicate that it did.
Reports vary on exactly how many transactions may have been compromised. A Jan. 20 article in The Washington Post estimates the amount to be in the neighborhood of "tens of millions."
For perspective, the infamous TJX breach – until now thought to be the largest case of card data theft in history – affected 45 million cardholders, though it's not known how many individual transactions were compromised. The Washington Post article says the Heartland branch may exceed it.
Maloni says it's far too early to be making comparisons.
"Frankly that is speculation at this point, since we don't have a firm idea of what numbers are out there," he said.
David Shackleford, the chief security officer at Configuresoft Inc., says the abundance of unknowns is the most troubling aspect of the breach.
"These guys had malicious software installed in their environment that monitored transactions going pretty much across the board, and the big thing about this is they didn't know when it was installed, how it was installed or how long it was there," said Shackleford, whose company provides IT solutions for businesses. "All the other factors are almost moot in comparison right there."
Maloni says one thing is clear: personal identification data such as consumers' social security numbers, addresses, zip codes, PINs and CVV2 numbers (the three digits on the backs of credit/debit cards often used in Internet transactions) was not compromised.
What may have been compromised, he says, were card names, card numbers and expiration dates.
Another thing Maloni says he can confirm is that it wasn't an inside job. He says the U.S. Secret Service, which is investigating the breach along with the U.S. Department of Justice, has uncovered information that leads them to believe it may involve individuals outside the U.S.
"It appears to be an international cyber crime organization – a global cyber crime organization," he said, though he wouldn't provide any details about the countries allegedly involved.
Representatives of the U.S. Department of Justice and the U.S. Secret Service were contacted but refused to comment.
Also of interest to investigators is how the entry point criminals used to install the software on the server. Neither U.S. authorities nor Heartland have released information on this yet.
Shackleford admits its speculation, but he says hackers often use badly-coded Web sites as back-doors to company servers. This would enable the hackers to plant the software from an off-site location.
"That's the number one thing that most people are starting to have trouble with," he said. "Everybody rushed to put Web applications out there and they're coded horribly."
Who's to blame?
When it comes to prosecuting data breaches such as this, Shackleford says the international aspect can be a significant obstacle, given that some countries have no extradition laws for computer crime. In fact, he says U.S.-based criminals will often send the data from server to server, crossing through one of these countries so authorities will be unable to follow the trail.
"The minute it crosses the border into Yugoslavia, the case is almost dead," he said. "It's crazy, right? Most people don't realize that the Number One location in the world for online auction fraud is Romania. Romania is one of those countries, so it's very, very difficult to prosecute things there."
Even cases in the U.S. can be difficult to prosecute, according to Shackleford, who says the data trail often leads to a computer lab at a university or public library, where it's next-to-impossible to link the evidence to an individual user.
Obviously criminals can be prosecuted, but the breach does raise questions of liability.
Shackleford says the onus is on card associations like Visa and MasterCard to put the pressure on processors and merchants that get compromised. He says that pressure could come in the form of dramatically-increased transaction fees for any Visa or MasterCard transactions, or through card issuers disallowing the transaction altogether – something he says didn't happen after the TJX case.
"Have they (TJX) really suffered at all?" he asked. "That's the question. No. They got a slap on the wrist. They had some fines levied against them that were paltry."
At the same time, he says consumers remain indifferent to news of the breaches.
"If you as a consumer still go shop at Marshalls and pay with a credit card, even after what happened happened, then TJX pretty much gets away scott free," he said. "Consumer apathy is one major problem."
That said, it's still unclear what actions Heartland could have taken to avoid the alleged breach. According to Maloni, the company has been PCI compliant as of April 2008.
He dismissed the suggestion that Visa and MasterCard should raise Heartland's transaction fees.
"It serves no one to talk about stringent penalties unless we're also going to talk about what we need to do to make sure we have stringent security," he said, adding that Heartland has created a site where consumers and merchants can learn more about the data compromise.