Doghouse: Heartland Payment Systems
Last week I got a notice that my debit card was getting canceled due to a security breach at Heartland Payment Systems. I did a little googling, and came across their official site for the breach. While I am never sympathetic to those who are careless with my data, I was really surprised and a bit discusted at the details revealed by the press releases on the site.
From a press release on January 20th, 2009:
After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.
Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.
And from a press release on January 27th, 2009:
“Heartland has been working on the development of end-to-end encryption, but in light of our recent data breach and the impact cyber fraud has had on the public and processors nationwide, we are ramping up our efforts,” Carr continued. “To do this, we are forming a dedicated internal department and have named Steven M. Elefant, a well-known expert in point-of-sale payments, executive director.”
These press releases make me sad because they speak of security problems and solutions that were developed ten to twenty years ago. “End-to-end encryption” is implemented in a plethora of protocols, IPsec and TLS to name a few. As for the “program designed to flag network anomalies in real-time,” this is a little newer and has been incapsulated in various different IDS products this last decade. In other words, the press release sings out to me “oops. We didn’t realize we were vulnerable, now we should be doing what others have told us we should be doing for a long time.”
I pick on Heartland Payment Systems mostly because they are a credit card processing system. They are not one single store, like TJ Maxx’s data breach of 2007. This is a provider who’s very sales story is: “The Highest Standards” and “The Most Trusted Transactions.” These are posted prodominately on their main page. Any one who works in the credit card or banking transaction industries must know by now that since their transactions are virtual money, security must forefront in their minds. They are the exact target of oversees hackers, as they are the gatekeepers to the money.
My conclusion is that from the technologies mentioned in their press releases they should have known better. After all, they are high-risk company for computer fraud. This is why Heartland Payment Systems is in my dog house.