Breach, Compliance Management, Data Security, Encryption, Incident Response, TDR

Heartland breach blamed on “extremely sophisticated” malware

Heartland Payment Systems was the victim of an unforseen malware attack that cannot be blamed on employee oversight, a company spokesman told on Thursday.

"An extremely sophisticated bug got into our system," said the spokesman, who would not give his name. "It absolutely was in no way caused by anyone's lack of attention to [security]. It made [CSO] Kris [Herrin] and all of us sick. We are moving very quickly to do the right thing we need to do to ensure we have the best security in the future."

Few new details have emerged since the Princeton, N.J. payment processor revealed on Tuesday that a global cybercriminal operation breached its systems to install malicious, data-sniffing software -- even as the company was in compliance with payment industry guidelines.

The malware was able to silently siphon credit and debit card numbers as they traversed the company's internal network, the spokesman said.

The company has not revealed how many accounts potentially were exposed to the cyberbandits, but Heartland each month processes about 100 million card transactions from 175,000 merchants, the spokesman said. The breach occurred during the last half of 2008, and Heartland first was notified about it in late October when Visa and MasterCard called to report suspicious activity on accounts Heartland had processed.

The card brands also contacted other entities involved in the payment process, yet as it turned out, Heartland was the victim, the spokesman said. But the company only discovered the malware late last week, more than two months after it began a forensic investigation of its systems.

Heartland is working with the card brands and issuers to alert affected customers, he said. From a technology standpoint, the company now plans to deploy a new solution to identify network anomalies in real time, the company said.

During the attack, the thieves only were able to retrieve card numbers, names and expiration dates -- not the more sensitive PIN and CVV2 codes that are used to make card-not-present transactions, the spokesman said.

David Bergert, a former Payment Card Industry (PCI) qualified security assessor who now works as a senior consultant at payment solutions provider On-Line Strategies, said the data was likely lifted as it crossed "private lease lines," which are not required to be encrypted.

But even if they were, cloaking these networks is difficult because of encryption format issues, he said. Instead, other controls, such as firewalls and network segmentation, are recommended.

"Service providers are a lot different than merchants in how they handle data," Bergert told on Thursday. "They're in the business of processing credit card details. There's a point in time where they need to send it in clear text to these other parties involved in the payment system."

The Heartland spokesman said the firm will continue to investigate the breach and likely will take on more IT staff as a result -- all this as the share price has plummeted by about 50 percent in five days.

But the company has no plans of closing its doors, as eventually was the case with payment processor CardSystems Solutions, which itself suffered a devastating breach in 2005.

"We're going to be a better company for it," the Heartland spokesman said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.