Enough to Break your Heartland: Fraud and Malware

MSNBC put up some interesting comment on the Heartland security breach. Since they've put some emphasis on the involvement of malware in the breach, it's worth making a few points.

* Heartland was PCI compliant when the breach occurred. The PCI DSS v1.2 Requirement #5.1.1 states: “Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.” The crux of the problem is that this is *old* wording. “Known types of malicious software” is mostly yesterday’s malware. In this regard, the new PCI DSS spec was out of date before it was even published (Oct 2008).

* In the Dark Reading article regarding this breach, Tim Wilson provided a quote from Palo Alto Networks, "Most security technologies in use today are about looking for the explicitly -- and in most cases already known to be -- bad. And that leaves a lot of room for error."

* This breach is almost a carbon-copy of the Hannaford Brothers breach in March’08 – malicious software installed on servers which sniffed/intercepted credit card information and forwarded the data to a remote location.

* Heartland directly claims to process 4 billion transactions a year, a significantly larger number than the 100 million transactions a month listed in the various news articles. Although Heartland does more than credit card processing (check management systems, payroll, micropayments, etc.) it was the credit card processing part of their business that suffered the breach. According to the MSNBC article, Heartland publicly stated that about half of its business comes from restaurants. If Heartland is actually doing 4 billion transactions a year, and let’s say half of those are restaurants, then there are 2 billion transactions/year tied, specifically, to restaurants. Just the restaurant business would generate 166 million transactions /month. The final numbers could be staggering since Heartland is the 5th largest card processor in the country. This has the potential to overshadow the TJX breach by a very, very large margin.

On 22nd January, their stock dropped 42% (symbol: HPY). Again, according to the Dark Reading article, if it costs the processor $30/card to replace 100 million cards – that’s $3B in just replacements. Then there are the notices that have to be sent out, investigation and litigation costs, the cost to provide credit monitoring service for those affected and fines/penalties. Needless to say the brand erosion will play a factor in their additional loss of revenue.

This isn’t a “hacker” problem – it’s organized crime combined with incredibly complex and advanced software engineering. The developers writing the highly-targeted malware aren’t hacks – that’s a “yesterday problem”. They’re part of an organized crime ring and as such are criminals, not (just) hackers. The term, hackers, has a watering-down effect on the public and as such should be phased out in the context of organized (cyber)crime.

Jeff Debrosse CSA CC
Research Director, North America