FTC Mum on Heartland Breach

CardSystems Case Shows How Similar Investigation was Handled Who will investigate the Heartland Payment Systems (HPY) data breach?

As a non-banking financial services entity, Heartland falls under the auspices of the Federal Trade Commission (FTC). So far, the FTC is mum on the case. "Our policies keep us from either confirming or denying a non-public investigation," says Jessica Rich, Assistant Director in the FTC's Division of Privacy and Identity Protection, Bureau of Consumer Protection. Heartland Payment Systems data breach coverage

But if you look back at recent history to the CardSystems Solutions Inc. case of 2005, you gain insight into how the FTC handles such cases.

CardSystems: What Happened

At the time it was discovered in 2005, CardSystems' breach of 40 million consumer credit/debit cards was the largest known compromise of financial data. CardSystems was the first credit card processor that the FTC prosecuted for failing to take appropriate security measures to protect sensitive information. The FTC said as a result of the breach there were millions of dollars of fraudulent purchases made. FTC's settlement required CardSystems (by then it was owned by Pay By Touch, another payment processor) to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years. There was no fine levied against CardSystems, but the FTC did say that the company would be liable for any lawsuits against it from financial institutions or customers.

The FTC found that the payment processor had kept information it had no reason to keep and then stored it in a way that put consumers' financial information at risk. The FTC found CardSystems provided merchants with products and services used in "authorization processing" - obtaining approval for credit and debit card purchases from the banks that issued the cards. In 2005, it processed about 210 million card purchases, totaling more than $15 billion, for more than 119,000 small and mid-size merchants. In processing these transactions, CardSystems collected personal information from the magnetic strip on the card, including the card number, expiration date and other data. CardSystems then stored this information on its computer network, where hackers broke in and took the millions of credit and debit card accounts.

The FTC charged that CardSystems failed to provide reasonable and appropriate security for sensitive consumer information, specifically that it:

created unnecessary risks to the information by storing it;
did not adequately assess the vulnerability of its computer network to commonly known or reasonably foreseeable attacks, including "Structured Query Language" injection attacks;
did not implement simple, low-cost, and readily available defenses to such attacks;
did not use strong passwords to prevent a hacker from gaining control over computers on its computer network and access to personal information stored on the network;
did not use readily available security measures to limit access between computers on its network and between its computers and the Internet; and
failed to employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.

Pay By Touch filed for bankruptcy in 2007 and finally closed its doors in March 2008.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network