After a data breach that could prove to be the largest unintended disclosure of consumer information ever, security and privacy experts are urging companies to learn from the Heartland Payment Systems breach and warning that existing regulatory standards just aren’t good enough to prevent such incidents.
The Princeton, N.J.-based payments processor revealed that unknown intruders broke into its systems last Fall and planted malicious “sniffer” software designed to snag credit card numbers as they were transferred over the internal network. One of the largest payment processors in the country, it discovered the invasion last week after receiving alerts from Visa and MasterCard.
See related article: 100 million cards potentially compromised in Heartland breach
Heartland has been tight-lipped about the details of the breach thus far. The company did put up a Web site at www.2008breach.com to notify consumers they should carefully check credit card statements for irregularities. The site also says Canadian systems were not affected, and merchant data wasn’t compromised.
The company has not disclosed just how many credit card numbers are at risk. But it processes more than 100 million transactions on a monthly basis.
The scale of the breach is “shocking,” says Jennifer Stoddart, Privacy Commissioner of Canada.
“After what we saw at TJX, that you could have such a major data breach, I’m asking myself what is happening and what is not getting through to organizations?” she says. “You should always take the steps to make sure there is suitable protection.”
TJX Companies Inc. is still in court for a 2007 data breach that resulted in 94 million payment cards being compromised. The retailer set aside $190 million for the legal fees resulting from class-action lawsuits in the fallout of the breach, Stoddart says.
Visa and MasterCard lost a combined $150 million as a result of that breach.
In the wake of that data leak and the more recent attack on payment processor U.K.-based RBS WorldPay, Heartland should have been better prepared for an attack, say security experts.
“They’re definitely in the top 10 in terms of being the crown jewels that someone might attack,” says Michael Argast, a security analyst with Sophos PLC, a UK-based security vendor. “We do know that a key logger was placed on the system at some point, and then a sniffer was brought in.”
Sniffers are simple pieces of malware that sit on a network and snag information as it passes across. In the case of Heartland, the sniffers were able to access credit card numbers because the company likely doesn’t encrypt data in motion. So while credit card numbers might be secure while they are stored, they are at risk when being moved around.
The payment processor had recently passed a security standards test for compliance with the Payment Card Industries (PCI) Data Security Standard. The standard was created by Visa and MasterCard for merchant security in the U.S. But it doesn’t cover internal networks, says Matt Pauker, the co-founder of Palo Alto, Calif.-based Voltage Security Inc.
“A lot of people have assumed if you’re PCI compliant, then you’re secure,” he says. “This is a wake up call showing that’s really not true.”
The PCI standard is designed for merchants using payment cards, he adds. A payment processor like Heartland deals with a higher volume of card numbers and should be held to a higher standard – or PCI compliance should be updated to address those needs.
PCI was a good way to deal with threats posed by hackers when it was first drafted several years ago. But only now are many companies starting to implement the standard’s recommendations, Sophos’ Argast says. Even then, achieving PCI compliance shouldn’t be seen as the goal of security, but just the starting point.
“The bar has been raised in terms of what an organization such as Heartland must do to secure itself,” he says. With attacks becoming much more targeted it’s imperative that such organizations have “deep security expertise.”
Argast says companies should address security with a corporate culture that recognizes it as an ongoing process. They should adopt the latest technology that uses behavioural malware detection to prevent keyloggers from entering the system. They should use through auditing processes that can correlate different entry points – and they must encrypt.
“They need to make sure that information is encrypted end-to-end,” the Sophos analyst says. “You have to assume your internal network has been compromised and start at that level of paranoia.”
Persistent encryption has been a challenge for organizations in the past. Many companies have older legacy data systems that can’t accept encrypted formats of data because the data strings are either longer, or contain different characters than the original data. For example, a 16-digit credit card number can become a much longer string that includes letters when it’s encrypted.
But format-preserving encryption allows encrypted data to carry the same format as the unencrypted data – so a 16-digit number will instead be a different 16-digit number, Pauker explains.
“Even though it’s only a 16-digit number, it still has the same strengths as traditional encryption,” he says. “We were able to help a large retail customer that acquires thousands of credit cards a day to integrate this approach to their systems in less than two months.”
The council that decides about changes to the PCI standard has been good about making updates, Pauker adds. He’s confident it will be improved again.
In Canada, Stoddart wants updates to the national privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), to make it a requirement for organizations to publically disclose when they have been the victim of a major data breach.
“If this is placed on the list of activities that need special reporting if they occur, it will raise awareness and let us know how many data breaches are occurring out there,” she says.
The privacy law has been slated for an update since 2005, she says. But the volatile situation in Parliament has kept pushing it off the agenda.