Heartland Payment Systems breach: An InfoSec History Lesson

This isn’t very recent, but the Heartland Payment Systems breach, in 2008, is considered to be one of the largest data breaches till date, and I thought it would be interesting to bring it up for discussion.

Heartland Payment Systems is a payment processor for Visa and Mastercard, and they processes credit, debit, online and prepaid transactions.

Sometime in 2008, Mastercard and Visa had begun to observe suspicious transactions in their audit logs and raised a flag with Heartland.
Finally investigations reported that more than 130 million credit and debit card details had been stolen from the Heartland Payment Systems database.

Heartland Inc. was then deemed to be no longer compliant with the Payment Card Industry Data Security Standard (PCI DSS).
It was revalidated only in May 2009.

Apart from the loss of revenue during this period, Heartland had to pay up over $145 million dollars in compensation to Visa and Mastercard for fraudulent payments.

In August 2009, Albert Gonzalez and two unnamed Russians, were indicted for this breach. In March 2010, Gonzalez was sentenced to 20 years in federal prison.

Gonzalez had discovered a vulnerability in the web login interface which had been existing for over eight years. He then entered the database through a series of SQL injections and had managed to install a “sniffer” spyware to read, record, and transmit transaction and card details to him.

In an August 2009 interview with csoonline.com, Heartland CEO Robert Carr openly declared that the QSAs (Qualified Security Assessors) “had let them down.”
He goes on to say he was “stunned” to learn that “the auditors have contracts with clients that essentially absolve them of gross negligence” and that “the false reports” he “got for 6 years” gave them “no recourse. No grounds for litigation.”

With regard to ethical concerns, it is intresting to note that in February 2009, an article on gcn.com by William Jackson, says that what he finds “most disturbing is the company’s continuing state of denial about the disaster.” and that “spokesmen repeatedly assured the public that the only information stolen was cardholders’ names and account numbers.” and that there was “nothing to worry about there.”

He goes on to say that “the Heartland breach shows that when moral and ethical imperatives are removed, security can become primarily a PR issue”.
This is particularly interesting as in the same article, it has been alluded that the company had chosen to release “the news” of the breach on Jan. 20, 2009 “apparently hoping to avoid attention while the country focused on President Barack Obama’s inauguration.”

However after declaring the breach, even if it were timed to soften the blow, and even after initial denials, I do think that the company did the right thing in accepting full responsibility for the breach, in paying its dues, in investing in strengthening the systems.
They then relaunched themselves in May 2009 by getting revalidated with the PCI DCS, and managed to, in this process, built a robust security design and win back the trust of their shareholders and customers.