Heartland Payment Systems, one of the biggest card payment processors in the US, has been the victim of what could well be the biggest security breach of its kind. Malicious software installed onto the Heartland network could have compromised as many as 100 million transactions according to numerous emerging reports. This would dwarf the TJ Maxx breach which involved details of some 40 million credit card transactions being stolen.
Apparently the hack attack at Heartland was discovered in-house last week and law enforcement agencies notified along with the credit card companies whose customers could become potential victims of the fraud. Data including names and card numbers was compromised, exactly the kind of information needed to clone cards.
Some security experts have accused Heartland of attempting to bury the news of the breach by releasing the news just as US Presidential inauguration hysteria swept the world. Others have expressed doubts as to whether what actually happened here, as regards the detail of how the malware was installed onto what was meant to be a highly secure system, will ever be exposed for public consumption. "It will be interesting to see how this incident pans out. Our best guess is that the software was either installed by a sleeper, a rogue employee working inside the firm who passed the usual vetting procedures, or a direct systems attack followed by the insertion of a custom application on the processor's IT resources," said Rob Rachwald, a director at security specialists Fortify Software. "The $64,000 question, of course, is whether Heartland and the US Secret Service, who are working with company staff on an investigation, will reveal the actual modus operandi of the fraudsters. I somehow think this will not happen," Rachwald concludes.
Meanwhile, Bradley Anstis, Director of Technology Strategy at another security company, Marshal8e6, told us "Even though Heartland was PCI DSS compliant, determined criminals were still able to steal millions of credit card details. We are seeing more and more instances of IT staff relying on their AV and not being aware that their computers have been compromised with spyware or other malware. Today's widely accepted methods of signature-based malware detection are simply not going to catch targeted spyware because the AV companies won't be familiar with its signature. Companies should also look to emerging technology like behaviour-based malware analysis which would have caught this malware."
One thing is for sure, this is a bad start to 2009 and could be indicative of the malware year to come.