Heartland Breach: DÃ©jÃ vu All Over Again
Yogi Berra once quipped, "This is like deja vu all over again." Remember back in June 2005, when CardSystems Solutions, an Atlanta, GA-based payments processor that processed credit card transactions for MasterCard and Visa, found it was hacked, and more than 40 million card accounts were exposed to potential fraud? As a result of the breach, CardSystems was later dropped by major credit card companies as a processor, sold to another payment processor, Pay By Touch, which filed for bankruptcy in 2007 and finally closed its doors in March 2008.
What is similar about these two data breaches - CardSystems and Heartland? They are both payment processors, and both were attacked with malware that helped hackers get card information. Second is the weight of the loss. CardSystems' breach, the largest at the time, was estimated to affect potentially 1 of every seven credit cards, according to MasterCard estimates. Heartland, the sixth largest payments processor in the country. processes 100 million transactions for 175,000 merchants per month. While there hasn't been a full accounting of just how long the hackers were able to see card data on Heartland's processing systems, even if it was just for a period of a few months, the number of card numbers exposed could run into the millions.
Remember back in June 2005, when CardSystems Solutions found it was hacked, and more than 40 million card accounts were exposed to potential fraud?
As a result of the breach and investigation that showed CardSystems wasn't doing everything it was supposed to do in protecting card data, CardSystems was hit with charges by the Federal Trade Commission and agreed to a settlement where CardSystems (by then owned by Pay By Touch) would be required to "establish and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards." The settlement also required them to obtain - every two years for the next 20 years - an audit from a qualified, independent, third-party professional that confirms that its security program meets the standards of the order, and to comply with standard bookkeeping and record-keeping provisions. Heartland can expect the same treatment by the FTC, or maybe even stiffer penalties, including fines, like the ones exacted on TJX by the FTC after its mega breach. Twenty years of oversight by the FTC leaves no room for error and lots of money spent on compliance.
Because Visa and MasterCard are still contacting the financial institutions with the unwelcome "We are sorry to inform you that credit/debit cards held by your customers may have been exposed" news, the public, along with the rest of the industry, is in the limbo waiting-to-see-if-we-were-hit game. As Heartland completes its investigation and gets a better grasp of just how many card numbers were exposed, (they're still unsure of the exact numbers), we'll have to wait and see what the total impact of this breach will be. To date at least five institutions have reported that they were contacted by VISA and MasterCard regarding this breach, including Kennebec Savings Bank, Kennebec, ME, Forcht Bank, a Kentucky based bank, GFA Federal Credit Union, Gardner, MA, and several other Maine credit unions, including PeoplesChoice Credit Union, Saco, ME.
The impact of this breach will be felt not just by Heartland, but by everyone involved. Financial institutions, retailers and other businesses, consumers who had their cards compromised and replaced, even the consumers who had their cards replaced by cautious institutions that, instead of waiting for fraud to appear on a card, replace all the cards the credit card companies tell them may be exposed. With consumer confidence at rock bottom when it comes to the financial services industry, and the entire outlook of gloom about the current state of the economy, the timing of this couldn't be any worse.
Heartland's tale will, for their sake, hopefully not end up the same as CardSystems. Other payment processors must take heed: The attack vector of the organized criminal gangs of hackers has no boundaries, no borders, time zones or target size requirements. Another note to everyone - these hackers aren't some bored college students or uber-brilliant high school kids trying to make their name in their hacking circles. They are in it for one thing - the data, which translates to money. (By the way, the previous statement also goes for everyone else who is transacting business over the internet or operates computer systems as part of how they get work done. Just because you're not the size of a retail giant like TJX or a mega financial services company, or a card payment processing company, doesn't mean you're not being targeted.) Need examples? Just look at the list of who was breached last year. Forget about trying to get by and just do the minimum amount of security to protect your customer data (and your company's data). Otherwise you'll be toast before you can say "fiduciary responsibility."
Some real thought needs to be done on what the solutions are for long term security of these types of data, at all levels, from the consumer up to the highest levels of business in all industries. If we all wait, eventually lawmakers will step in and tell us how to secure data and systems and the end result will end up being much more painful that can be imagined. Need an example? The data security regulations that Massachusetts passed and which goes into effect on May 1 will be the country's most onerous for most entities, say those who are familiar with the law's requirements. Another consideration is the new administration will look at this breach, along with everything else that has occurred in the financial services industry's deregulation party era, and decide to focus on it even more closely that we're expecting them to do. The bottom line is: If you want to stay in business, protect the data and make sure everyone you are entrusting it to does at least the same as you're doing. Or better.