Largest Data Breach Disclosed During Inauguration

rmogull writes "Brian Krebs over at the Washington Post just published a story that Heartland Payment Systems disclosed what may be the largest data breach in history. Today. During the inauguration. Heartland processes over 100 million transactions a month, mostly from small to medium-sized businesses, and doesn't know how many cards were compromised. The breach was discovered after tracing fraud in the system back to Heartland, and involved malicious software snooping their internal network. I've written some additional analysis on this and similar breaches. It's interesting that the biggest breaches now involve attacks installing malicious software to sniff data — including TJX, Hannaford, Cardsystems, and now Heartland Payment Systems." One bit of good news out of this massive breach is that, according to Heartland's CFO, "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." Heartland just put up a press release on the breach.

Re:WTF???

[EvanED]

I would say it may have quite a lot to do with it... it's either a pretty big coincidence, or they are trying to bury the news by releasing it when the networks actually have something else to report on.

What's your bet on?

Re:WTF???

[amRadioHed]

The implication is that they timed the announcement to occur when no one is paying attention.

Re:WTF???

[oldspewey]

Today. During the inauguration. WTF??? What does the inauguration have to do with this?

Well, somebody who is inclined toward cynicism might conclude that the company deliberately chose to release this information when public attention would be diverted elsewhere.

Suckers

[htnmmo]

This is why I never go on the internet. It's just not safe.

Re:WTF???

[idontgno]

[Heartland Payment Systems President and CFO] Baldwin said Heartland worked to disclose the breach last week.

"Due to legal reviews, discussions with some of the players involved, we couldn't get it together and signed off on until today," Baldwin said.

"Legal reviews": "Holy crap, we're gonna get our butts sued off if this breach becomes a big news story! You have to delay this until we can start a war or something to distract the press!"

"Will the inauguration hype of the first African-American President of the United States work as a distraction?"

"Brilliant!"

Re:WTF???

[idontgno]

And Linux is always better than Windows on Slashdot, because every day is Pedantic Asshole day here!

Re:WTF???

[Ambiguous+Coward]

Well, somebody who is inclined toward reality

No need to thank me.

Also, FTFA:

Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn't until last week that investigators uncovered the source of the breach...

Meaning they knew about it long enough to hire some forensics teams, do the research, figure out where the breach came from, etc. and they finished all that up last week...and then decided to wait until NOON today to release the news to the public? Sorry, but that's plain bullshit, no cynicism involved. If they were interested in disclosure, they would've released the news sooner. At the very latest, they would've released it as soon as they found out how it happened (so they could say they had already closed the breach.)

Instead, they wait until noon (they're a New Jersey company) when the inauguration is happening? Why not sooner in the day? Why wait until what would arguably be lunch time usually? Who discloses breaches at lunch? Answer: nobody. On the other hand, who discloses breaches during a HUGE national (and arguably international) event? Answer: someone trying to hide something.

Again, I say inclined toward reality, not cynicism.

solution to CC breeches ..

[rs232]

What's needed is a totally new kind of online financial transaction system. One that don't use card numbers. A dongle on the client connects to the server generates a one-time session key,and identifies itself to the server and displays a random Pin code, the customer then types it in to verify the transaction. The session is encrypted and the data sent can only be used for the one transaction, no repeat man-in-the-middle hacks ..

First in a long line of discoveries to come

[WillAffleckUW]

Those who claim to be perfect but never admit mistakes usually are covering up for massive mistakes.

And the missing million emails we know of are just the observable symptom, as are the transactions in this health data breach.

The old truisms of data security still apply:

1. It's usually insiders that provided or passed on information used to get access.

2. Those who cover up problems only create even larger problems, due to the system of trust.

3. You can stop 99 percent of attacks with reasonable security measures, but a determined attacker willing to use human intelligence methods will almost always get through the other 1 percent - the trick is knowing what measures will dissuade the 99 percent and implement those, and use reporting to discover the other 1 percent instead of measures that will be defeated anyway.