Industry Reaction to Heartland Data BreachInformation security companies reacted quickly to the news of the Heartland Payment Systems (HPY) breach. Here is a roundup of thoughts on the breach, recommendations on how to handle personal sensitive data, and what industry thought-leaders see emerging as a result of this breach:
Bill Conner, President and CEO, Entrust:
With over 100 million credit and debit card accounts compromised, the government needs to continue to move quickly to standardize data breach notification laws and call for technology like encryption and stronger authentication that truly protects consumer information.
Cybercrime continues to grow and is increasingly affecting more and more of this country's citizens. To slow the upward trend of cybercrime in this country, all organizations, enterprise, consumer and even governments need to carefully review current security approaches and identify key gaps within their infrastructures.
Congress needs to pass a data breach notification law that better protects consumer identities through stronger data security standards with strong encryption. This is an opportunity to do something about a security issue that impacts all Americans.
Phil Neray, VP/Security Strategy. Guardium:
This breach highlights the need to go beyond 'old school' security techniques like simply reading your log. Organizations need to implement technologies such as real-time activity monitoring to catch 21st-century criminals.
As the Heartland breach illustrates, you can be PCI compliant and still be breached. Good compliance does not mean good security.
Michael Maloof, CTO, TriGeo Network Security:
The perception that credit card data is 'safe' within the walls of a corporation is an illusion that we need to shatter. This form of attack has a very low profile and high payoff, so it's critical that companies look inward and put their networks under a microscope.
The magnitude of this breach may be grossly underestimated. With more than 100 million transactions per month, and no indication of how long the sniffer technology was in place, they could discover that several months worth of transactions were captured.
Dave Shackleford, CSO, Configuresoft:
The first important point to note about the Heartland breach is that they were, by all accounts, PCI compliant. This underscores the notion that compliance does not equal security, as many tend to believe. Most organizations do not want to spend large sums on security technology and services, as there is rarely an obvious return on the investment. Instead, many companies have taken to spending just enough to "get compliant", which is a mistake. Any seasoned security professional will tell you that compliance regulations should only be considered the bare minimum in terms of controls necessary for adequate coverage. Even the PCI Data Security Standard, widely considered to be the most technically articulate standard in existence today, only lays out a basic strategy for protecting sensitive payment card data. Although we don't yet know what initial penetration vector the attackers succeeded in exploiting to gain access, the situation demonstrates that there were exploitable vulnerabilities present that allowed access to the payment card environment.
The second major concern in this story relates to Heartland's lack of immediate detection of the malicious software the attackers planted. This problem is widespread in most organizations - audits are viewed as "snapshots in time," and are considered discrete events. In other words, systems are really only known to be in a fully compliant status when the auditor assesses them, and lots of undetected changes can occur in between audits. Even with logs and other audit trails, security teams are often using "after-the-fact" data to reconstruct events and determine what went wrong, when, and how. In fact, in the case of passive attacks such as this one, where the attackers simply installed keylogging and sniffer software, the intent is simply to gather data and send it back to the attackers, nothing else. If the initial event or attack is missed somehow, this can go unnoticed for an indefinite length of time. By instituting sound change detection and file integrity measures on all critical systems, the unauthorized installation of software is detected immediately and reported. Although this may not prevent the initial breach, very little (if any) data would have actually been stolen.
Dave Meizlik, Senior manager of DLP solutions, Websense:
The Heartland breach reinforces the need for organizations to get, in the least, visibility into their data. For too long, organizations have taken a perimeter-based approach to security. Today's enterprise, however, requires a data-centric approach because that's the target: the data. Whether it's malicious or unknowing users, or hackers, the data is what needs to be protected, not just the infrastructure.
The Heartland breach sheds light on the reality more and more security managers are waking up to - the status quo isn't working. Going forward, a data-centric approach to security will need to be woven into IT systems and processes. And the first step, which many will take in 2009, is to get visibility into the data. Without visibility into what data is confidential, where it's stored, and how it's being used, an organization is blind.
Ori Eisen, Founder and Chairman, 41st Parameter:
The breach at Heartland Payments is a reality check and another example of why we must all stop acting like it is the 1970s - when you kept your credit card in your wallet and the only way someone could get your number was to dumpster dive for your carbons. Today we must assume our credit card and other account information is out there for the taking. The only way to stop it from being used successfully by someone not authorized is to validate users at the time of purchase - which is easier when the person is standing in front of a salesperson and can be asked for ID.
The magnitude of this breach is another proof that professionals are involved, and processors are on their crosshairs. While the data on the magstripe is not enough to steal someone's identity, it is enough to counterfeit their card and try to get cash at an ATM (after setting a PIN). Additionally, in areas in the world that do not have real-time authorization, fraud would be easier to do without the address or zip code of the victim.
This is not the last time we will hear about a large block of credit cards being breached. The impact from Heartland and others to follow will be evident through increased fraud attempts, more chargebacks at merchants falling victim to these fraudsters, and damage to the reputations of the card issuers as customers question their ability to protect credit lines and may perhaps even look for alternative means of payment in the future.
Paul Davie, Founder and COO, Secerno:
The Heartland breach is a microcosm of the data security threats that today's financial institutions are facing. As the Heartland breach shows, data theft has moved beyond proof of concept attacks to the deliberate targeting of institutions, such as processors, that house large numbers of active credit card accounts. The goal of this type of operation is to grab as much information as possible, and then turn this data into counterfeit cards. These operations can be tremendously profitable for the criminal elements masterminding them, and currently there are few obstacles to stop this type of breach from happening again.
What this breach also highlights is the limits of PCI as a data protection mechanism. The intentions of PCI are noble, but the reality is that industry standards often start at the lowest common denominator, because by definition they must be inclusive. From all accounts, this large data breach occurred within the boundaries of PCI accepted behaviors and practices. Clearly, an industry standard is not enough.
Personal data needs to be given the utmost priority in terms of protection. Financial institutions have a tremendous opportunity to lead the charge for safer data, and this would be a wise move, since the next step could be mandated data protection legislation, as some states are proposing.
The lifeblood of a financial institution (and any company for that matter) is its data. The majority of companies take the utmost care in keeping hackers and others out of their network. However, there is surprising lack of protection inside the corporate network. What Heartland ultimately shows is the need for a holistic approach to security. Don't assume that data is safe inside the firewall. As evidenced by Countrywide and a host of others, insiders are an equally grave threat.
Amir Orad, Chief Marketing Officer, EVP, Actimize:
The bad guys have again demonstrated a massive investment and long -term thinking and planning spent in order to make this breach possible. As in the TJX case, this should raise a "blinking red" flag, this level of preparations and investment by the bad guys dramatically raises the bar on the FIs needs to deal with and defend against in this market.
In security, people always say that typical defenses are very effective against most attacks. But if someone attacks you specifically and develops custom technology designed to attack you specifically, it will be very difficult to defend against (true with viruses, Trojans, etc). Well, seems like the bad guys are doing just that.
Traditional approaches to data compromises and stolen cards have been A) to cancel and replace the card or B) to use watch lists or card lists that make fraud detection software more sensitive to transactions with cards that are compromised. This was an effective method when the number of compromised cards were in the thousands or even tens of thousands. When a large number of the US population's data is compromised, these methods are becoming much less effective due to A) replacement cost or B) false positives and much more modern analytics surveillance technology is required to deal with this massive problem.
Aaron Bills, Co-founder and COO, 3Delta Systems:
The Heartland Payment Systems' malware breach brings two truisms to mind: Good security is difficult. Good security in complex systems that allow user access is especially difficult.
The payment industry has taken exceptional strides to self-regulate and foster better data security in the U.S. through initiatives such as the Payment Card Industry Data Security Standards (PCI DSS). These standards encompass 12 core requirements covering security management, policies, procedures, network architecture, software design to help merchants and organizations that process, store or transmit payment card data establish strong technical and operational requirements for safeguarding cardholder data.
Some critics argue that these standards are worthless because some compliant companies such as Heartland Payment Systems have suffered a data breach. I say rubbish.
Becoming PCI-certified doesn't magically shield a business from losing data or provide impenetrable security against hackers or malware. It does mean, however, that a company's processes and technologies meet the most stringent criteria we have as an industry for processing or storing confidential payment data.
The PCI standards are not a panacea for solving all security ills, nor are they static. Like information technologies themselves, they are a continual work in progress. And they are very good security industry standards in much the same way that the International Organization for Standardization (ISO) 9000 is a very good worldwide benchmark for quality management in manufacturing and service organizations.
Let's say you buy a car from an ISO 9000-certified manufacturer that has adopted a quality system designed to minimize defects and focus on continuous improvement. This ISO 9000 standard conveys certain controls and processes are in place at that manufacturer to produce a quality car. It doesn't guarantee, however, that your new car will be completely free of defects.
Like quality manufacturing improvement, IT security improvement requires daily vigilance and work. You don't "get PCI compliant" automatically. You maintain PCI compliance. It's a constant state of being, not a yearly audit event.
Each of us in this industry can learn from the very difficult lessons of companies whose data has been breached so that we can improve our own systems and countermeasures. We'll all learn from the Heartland breach, others that have preceded it and still others that will certainly follow.
Mike Rothman, SVP, Strategy, eIQnetworks:
It looks like the tough economy is impacting credit card hackers as well. Now they are looking to get more leverage out of their efforts and that means targeting bigger organizations that manage more card data. This makes credit card payment processors, large merchants, and even clearing banks targets for today's attackers. This means that PCI is clearly not enough. Given the Hannaford and Heartland Payment Systems breaches on "PCI compliant" organizations, every organization needing to protect large amounts of data needs to go beyond the 12 requirements set forth in PCI.
PCI compliance is no defense against this kind of attack. At least how the PCI-DSS is written now. Logging data (requirement 10) is not going to catch this attack because the firewall was breached (which means the traffic was allowed) and the malware (key logger or sniffer) was installed on a set of devices.
The fact that Heartland was compromised is not the real point. The issue is how to make sure this doesn't happen again. And not to you. Based on what we know of the attack, there were a number of points where the attack could have been detected.
Unfortunately, this won't be the last time we hear of a successful attack on PCI compliant organizations. Leading organizations won't wait until they are compromised to put in place a broader and more effective monitoring environment.
Mark Bower, information protection expert, Voltage:
The real crime is that firms can very well protect all customer data and eliminate these breaches altogether quickly and easily, actually. And every company should take these steps. The focus should not be just on compliance, but should be about doing the right thing and being responsible. How long will it be before not doing the right thing is considered criminal negligence?
Tom Murphy, Chief Strategy Officer, Bit9 Inc.:
The Heartland breach highlights the need for a new approach to secure credit card data. Traditional reactive methods simply don't work for sensitive systems, such as retail and credit card processing systems. The industry needs to get proactive about malware protection and assert control over what applications are permitted to run in environments dealing with customer data.