Article

Restaurants hit by Heartland data breach

With literally tens of millions of card transactions at risk, malware found on the server of Heartland Payment Systems may make history.

January 28, 2009

The complaints started in the fall of 2008.

It was around late October when Heartland Payment Systems, a Princeton, N.J.-based company that provides payment processing for roughly 200,000 U.S. businesses, was contacted by Visa and MasterCard about reports of fraudulent activity taking place on cards it had processed.

"Everybody was trying to put the puzzle pieces together," said Jason Maloni, spokesman for Heartland. "We immediately engaged a forensic investigation firm that set about looking at our system from top to bottom."

Maloni claims officials at Heartland didn't believe the company had any security problems until the week of Jan. 12, when forensic investigators uncovered carefully hidden malware on Heartland's servers. Its purpose was to identify private cardholder data, record it – and presumably – transmit it to an unknown third party for criminal use.

At this point, it's difficult to judge just how bad that bad news is. Maloni says his company processes roughly 100 million transactions per month, 40 percent of which are for small-to-medium-sized restaurants. It's not known how long the malware was on the server, nor whether it was able to transmit data to its intended third party – although Maloni admits the complaints of fraudulent card activity received by Visa and MasterCard would seem to indicate that it did.

Reports vary on exactly how many transactions may have been compromised. A Jan. 20 article in The Washington Postestimates the amount to be in the neighborhood of "tens of millions."

For perspective, the infamous TJX breach – until now thought to be the largest case of card data theft in history – affected 45 million cardholders, though it's not known how many individual transactions were compromised. The Washington Post article says the Heartland branch may exceed it.

Maloni says it's far too early to be making comparisons.

"Frankly that is speculation at this point, since we don't have a firm idea of what numbers are out there," he said.

David Shackelford, the chief security officer at Configuresoft Inc., says the abundance of unknowns is the most troubling aspect of the breach.

"These guys had malicious software installed in their environment that monitored transactions going pretty much across the board, and the big thing about this is they didn't know when it was installed, how it was installed or how long it was there," said Shackelford, whose company provides IT solutions for businesses. "All the other factors are almost moot in comparison right there."

Maloni says one thing is clear: personal identification data such as consumers' social security numbers, addresses, zip codes, PINs and CVV2 numbers (the three digits on the backs of credit/debit cards often used in Internet transactions) was not compromised.

What may have been compromised, he says, were card names, card numbers and expiration dates.

Another thing Maloni says he can confirm is that it wasn't an inside job. He says the U.S. Secret Service, which is investigating the breach along with the U.S. Department of Justice, has uncovered information that leads them to believe it may involve individuals outside the U.S.

"It appears to be an international cyber crime organization – a global cyber crime organization," he said, though he wouldn't provide any details about the countries allegedly involved.

Representatives of the U.S. Department of Justice and the U.S. Secret Service were contacted but refused to comment.

Also of interest to investigators is how the entry point criminals used to install the software on the server. Neither U.S. authorities nor Heartland have released information on this yet. Shackelford admits its speculation, but he says hackers often use badly-coded Web sites as back-doors to company servers. This would enable the hackers to plant the software from an off-site location.

When it comes to prosecuting data breaches such as this, Shackelford says the international aspect can be a significant obstacle, given that some countries have no extradition laws for computer crime. In fact, he says U.S.-based criminals will often send the data from server to server, crossing through one of these countries so authorities will be unable to follow the trail.

"The minute it crosses the border into Yugoslavia, the case is almost dead," he said. "It's crazy, right? Most people don't realize that the Number One location in the world for online auction fraud is Romania. Romania is one of those countries, so it's very, very difficult to prosecute things there."

Obviously criminals can be prosecuted, but the breach does raise questions of liability. Shackelford says the onus is on card associations like Visa and MasterCard to put the pressure on processors and merchants that get compromised. He says that pressure could come in the form of dramatically-increased transaction fees for any Visa or MasterCard transactions, or through card issuers disallowing the transaction altogether – something he says didn't happen after the TJX case.

"Have they (TJX) really suffered at all?" he asked. "That's the question. No. They got a slap on the wrist. They had some fines levied against them that were paltry."

At the same time, he says consumers remain indifferent to news of the breaches.

"If you as a consumer still go shop at Marshalls and pay with a credit card, even after what happened happened, then TJX pretty much gets away scott free," he said. "Consumer apathy is one major problem."

That said, it's still unclear what actions Heartland could have taken to avoid the alleged breach. According to Maloni, the company has been PCI compliant as of April 2008.

He dismissed the suggestion that Visa and MasterCard should raise Heartland's transaction fees.

"It serves no one to talk about stringent penalties unless we're also going to talk about what we need to do to make sure we have stringent security," he said, adding that Heartland has created a site,www.2008breach.com, where consumers and merchants can learn more about the data compromise.

The liability factor

The real question that might worry merchants, restaurants and self-service deployers that are customers of Heartland is the issue of liability. Could they be held civilly liable for choosing a payments processor that may not have had all the necessary security measures in place?

Larry Washor, an attorney for Los Angeles-based Washor & Associates who specializes in business and technology law, says he doesn't think so, since there is virtually no way a merchant can investigate a processor's security measures, beyond confirming that it is PCI compliant.

"Suppose you said to the processor, ‘Hey processor, I'm concerned about security. Can I send a team in to verify the adequacy of your security measures?'" he asked. "What do you think the processor would say to you?"

However, there are some basic steps a merchant can take, he says, to make sure the processor does have a clean slate in the past.

"Check with the Better Business Bureaus as to the reputation of the processor," he said. "Some have very, very bad reputations. I could name several that I would recommend people not use, although I wouldn't want to do it in print."