Heartland Payments CEO says end-to-end encryption could prevent card, data breaches

Published: 2 February 2009 y., Monday

 

Nearly one week after news emerged of the big data breach at Princeton, N.J.-based merchant acquirer Heartland Payment Systems Inc., it remains unclear how much damage actually happened and who did it. One report suggests Heartland’s breach-related legal liabilities could approach $98 million, an estimate a Heartland spokesperson dismisses as speculative.

The spokesperson tells Digital Transactions News on Monday that the so-called “sniffer” program secretly planted on one of Heartland’s payment-processing platforms was not being used when investigators found it about two weeks ago. “It was inactive,” the spokesperson says. “I want to be specific to say it was inactive,” he adds, clarifying that the hackers hadn’t deliberately disabled or deactivated it.

Robert Carr, Heartland’s chief executive, meanwhile, issued a statement calling for better industry cooperation and new operational procedures to prevent future data compromises, including industrywide, end-to-end encryption to fully protect cardholder data. Heartland uses encryption, but industry procedures leave data unencrypted during one brief point of the authorization process—a weakness that hackers have learned to exploit. Carr also said Heartland is working on its own system of end-to-end encryption.

Heartland last week said it learned late last fall of the malicious software, or malware, that captured unencrypted card numbers during the authorization process. The spokesperson on Monday said Visa Inc. and MasterCard Inc. first alerted Heartland about suspicious activity sometime in late October or early November. Despite bringing in outside experts, it took until this month to actually find the program, which possibly could have been planted as far back as May (Digital Transactions News, Jan. 22). The spokesperson says he doesn’t know exactly when it was placed on the platform that processes 100 million transactions monthly from about 175,000 small and mid-sized merchant locations, but says it has now been contained and removed. “Our understanding is it was limited to being active in 2008,” the spokesperson says. “Unfortunately, it was very sophisticated.”

Citing unnamed sources, the online newsletter StorefrontBackTalk on Friday afternoon said the U.S. Secret Service “has identified an overseas suspect” in the Heartland breach, but offered no other details other than to say the U.S. Department of Justice is involved and that the suspect is “outside of North America.” Neither the Heartland spokesperson nor a spokesperson for the Secret Service, which is investigating the breach, would confirm that report. “I have nothing on that story,” says the Washington, D.C.-based Secret Service spokesperson.

A foreign connection would not be surprising. In announcing the breach Jan. 20, Heartland said in a release, “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.” Many of the suspects the DoJ charged in connection with the record payment card breach at retailer TJX Cos. were foreign nationals (Digital Transactions News, Aug. 6, 2008).

Besides the missing details about the breach itself, another big unknown is the financial hit Heartland will take. Heartland faces possible lawsuits or bills from credit and debit card issuers for breach-related fraud losses and card reissuance. Some observers have speculated Heartland’s breach could be bigger than TJX’s, which may have compromised up to 94 million card numbers. Although public reports of actual fraud linked to the Heartland breach have not yet surfaced, local press stories monitored by Digital Transactions News report that many community banks and credit unions are reissuing cards whose numbers were compromised when customers made purchases at Heartland merchants. At least one issuer is reissuing about one-third of its card portfolio. Others are taking a wait-and-see approach, telling cardholders to be alert for possible misuse. The nation’s biggest banks—JPMorgan Chase & Co., Citigroup Inc. and Bank of America Inc.—are giving few details about their responses to the breach.

In a report issued Sunday, investment bank Goldman Sachs Group Inc. estimated Heartland could face possible litigation costs of almost $98 million. In arriving at the estimate, Goldman Sachs estimated the affected platform’s 100 million monthly transactions came from 20.5 million unique cards, resulting in potentially 143.5 million cards compromised from May through November. Applying what it says were 68 cents in losses per card from the TJX breach, Goldman Sachs estimates Heartland’s possible liability is $97.7 million.

The Heartland spokesperson, however, dismisses that figure. “I think that is speculation,” he says. “We expect there will be some damages, but I think it’s very preliminary to put a figure on it.” In its report, Goldman Sachs said its assumptions were subject to change depending on further disclosures.

In a news release Friday afternoon, Heartland founder Carr said his company had added more than 400 merchant clients in the preceding few days, more than it did in the same year-earlier period, “despite the headwinds of the economy and attacks by some of our competitors …”. Carr issued a call for payments companies to share more information about the computer-related fraud they experience. “Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again,” Carr said. “I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week.”

In Heartland’s case, the thieves captured account numbers, expiration dates, and some cardholder names, but not confidential merchant data, Social Security numbers, unencrypted PINs, addresses, or telephone numbers.

 


 

Copying, publishing, announcing any information from the News.lt portal without written permission of News.lt editorial office is prohibited.

Facebook Comments

New comment


Captcha

Associated articles

Congress Covets Copyright Cops

Congress is set to more than double the number of federal copyright cops. more »

India Hackers Scared Straight?

Indian hackers always thought they were too sophisticated to fall into the hands of the rough cops in this country, whom various human rights groups routinely accuse of brutality. more »

Australian Internet Users Badly Served - Study

One in four Australian households and businesses can't use a phone line to download a simple Web page in less than six minutes, the Australian government's Productivity Commission said. more »

The humiliation virus

How Sircam can help turn your most private documents into a worldwide joke. more »

Will users pay to play music online?

After months of hullabaloo over online music subscription services, it appears as though the industry big boys are finally ready to test the waters. more »

EPIC to protest Passport bundling with Win XP

The Electronic Privacy Information Center (EPIC) is preparing to file a complaint with the U.S. Federal Trade Commission (FTC) about Microsoft Corp.'s plans to bundle its Passport identification service with Windows XP more »

Sun, HP open their code to developers

SUN MICROSYSTEMS AND Hewlett-Packard are expected to announce separately Monday that they will make projects under development at the companies available to developers under the open-source model, adding further support to the collaborative development mo more »

Pentagon Blocks Public Web Site Access

Servers Struck by 'Code Red' Virus more »

search.lt news

search.lt presents newest links more »

Code Red Worm

A malicious piece of software more »