Heartland Breach: Bigger than TJX?

Experts Debate How it Happened and What Damage Could be Done
Heartland Breach: Bigger than TJX?
Exactly how big was the Heartland data breach?

This is the great unanswered question since last week, when Heartland Payment Systems (HPY), a Princeton, NJ-based credit card processor, revealed that its computer systems had been breached, and an unknown number of credit card account numbers were exposed to hackers. Heartland Payment Systems data breach coverage

Since then, at least eight financial institutions have stepped forward to say their customers had cards affected by the breach, and one security expert says, in theory, that Heartland could be bigger than the TJX breach that dominated the news and set the data breach benchmark in 2007.

The Scope of the Breach

Heartland officials say they haven't been able to assess the total number of card numbers that may be taken, but VISA and MasterCard have already been contacting banks and credit unions around the country, informing them that debit and credit cards issued to their customers were affected as a result of the Heartland breach.

Added to the growing list of institutions that say their customers have been hit are:

Piedmont Credit Union, Virginia;
Oregon Territory Federal Credit Union;
Notre Dame FCU, South Bend, IN;
Kennebec Savings Bank, Augusta, ME;
Forcht Bank, Kentucky;
GFA Federal Credit Union, Gardner, MA;
TD Bank and TD Bank North, Portland, ME;
PeoplesChoice Credit Union, Saco, ME.
State Employee's Credit Union (SECU), Raleigh, NC
Innovations Federal Credit Union, Bay County, FL (400 cards)
Summit Federal Credit Union, Rochester, NY (500 cards)
The Bank of Fayetteville, Fayetteville AR
Farmers and Merchants Bank, Stuttgart, AR
Arkansas County Bank, Stuttgart, AR
The Central National Bank and Trust Company of Enid, Enid OK, (1600)
Adams Bank & Trust, Grant, NE
Valley Bank & Trust, Gering, NE (16)

According to company leaders, Heartland's computer network was compromised sometime in 2008, when a hacker installed sniffer malware that was able to see credit card numbers and other details. It is unknown how long the sniffer software was active or how much card data was captured. But Avivah Litan, Distinguished Analyst at Gartner Group, says the Heartland breach is potentially an historic one.

"In theory, at least (without more details disclosed) this is more severe than the TJX breach since the criminals intercepted good live card transactions," Litan says. In the TJX breach case, many of the cards accessed were dead and deactivated.

Payment Processors: The New Target?

Fraud and security experts have already predicted that larger retailers and businesses would be victims of hackers, and payments processors such as Heartland are a prime target for criminals who want to have a large amount of data that could be sold quickly.

"That's where they get the most data - so why wouldn't they," Litan says. "It shows that they can likely penetrate just about any part of the payment system that they choose to, and in my mind it means compliance with the PCI standard is putting a Band-Aid on a systemic problem, and that it is likely to come off relatively easily."

"From a criminal's perspective, they want to compromise the most information with the least amount of work," says Mike Urban, Senior Director of Fraud Solutions at Fair Isaac. "Obviously, a large processor will see more unique data than a large merchant and therefore be an appealing target to the criminals,"

Adil Moussa, card payment systems analyst at Aite Group, agrees with Urban, adding, "Hackers are changing their target... retailers are still going to be their favorite target; however, why have so little ambition when you can go to the merchant processor who processes for thousands of these retailers? Hackers can get more information that way."

In general, Urban says criminals will target any organization they can get into - large or small. "They don't limit it to a specific type of organization. That said, criminals will target specific types of data that they know they can market, and payment card information is very high on their list."

How Did It Happen?

The Heartland breach, because it involved the use of a sniffer, made it hard to detect, says Dave Taylor, head of the PCI Knowledge Base. "It is a type of passive attack (meaning it just watches traffic over a network node, rather than modifying the traffic). Since they don't communicate or interact with other systems, they are hard to detect."

The sniffer, also referred to a network analyzer, would be programmed to look for a pattern in the text (a 16-digit number in this case), and then copy any related content to a file, which then - somehow -- had to be communicated to the thieves. "That's hard, since I assume the server where the sniffer resides would not be connected to the Internet," Taylor says.

Taylor theorizes that some social engineering was used (or someone on the inside cooperated) to get the code on one of the servers doing card processing, with another server that does the external communication. "Very few people likely have the credentials to install code, and [the servers] are not (or should not be) accessible to the public Internet," Taylor says. "I'm guessing a rootkit was installed - somehow. That helps cover the tracks of the communications and could keep configuration monitoring or file integrity monitoring systems from detecting it, assuming they were up and running."

Paul Kocher of Cryptography Research, an information security expert and researcher, says although the technical details of the attack are different, "The situation is eerily reminiscent of the CardSystems mess a few years ago."

"While it is unlikely that we'll ever know how the software got there, as it could have been an inside job, an attack from the Internet, a CD with Trojan-horse software mailed to someone," Kocher says, "once installed, the software was able to record payment transactions as they go past. This is easy to do if the data isn't encrypted."

In this situation, Kocher notes there were a handful of things that went wrong:

Heartland failed to prevent the bad code from getting installed in the first place;
The processor had an inadequate cryptographic architecture. Ideally, incoming payment data should have been encrypted on a dedicated hardware box immediately as it arrived;
The sniffer presumably was transmitting off the data it captured, and this type of connection often can be observed and/or blocked.

How to Avoid the Next Breach

Financial institutions should take notice of the Heartland breach, says Gartner's Litan. "Institutions need to continue beefing up fraud detection efforts," she says.

It's quite possible that Heartland had 'state-of-the-art' security controls and that the malware still remained undetected because it was not spotted by largely-signature-based detection systems, she says. "I think the payments industry needs to take some long-needed security steps including end-to-end encryption (which is now employed relatively successfully for ATM PIN processing) and stronger cardholder authentication so that even if data is stolen, it's useless unless the thief steals the physical card belonging to the legitimate cardholder," Litan says.

Litan sees more radical steps, such as end-to-end encryption and stronger cardholder authentication, are called for and have been for a long time. "But we probably need a few more breaches before those steps are mandated by the card industry, if indeed they ever are," Litan says. "In these cases, the breached entity ends up bearing most of the costs, so as long as that continues to be the case, other involved companies aren't likely going to want to fork up large sums of money for more radical security improvements."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network