Friday 30 January 2009

Heartland Payment Systems - Credit Card Security Breach

It goes without saying, that no matter who promises what when it comes to our information, we need to be very careful about what we do with it anyway.

Some bits of information we would never publish to the Internet:
  • College or University graduated from and what city.
  • High School graduated from, what city, and what year.
  • Birth date.
  • Social Insurance Number (SIN - Canada), Social Security Number (US).
  • Major purchases made and where.
  • Banking information.
This type of information may seem to be inert on its own, but new services such as pipl are proving that data mining capabilities are becoming more and more sophisticated.

Keep this in mind when it comes to publishing personal information anywhere including social and business networking sites.

So, when it comes to our credit cards, we are quite diligent in our monitoring of the transactions on each card by checking our online statements at least two to three times a week. In our case, at least one of our credit cards have been impacted by this security breach.

And, when it comes to protecting our identity, we subscribe to one of the big three's credit profile monitoring services that sends out a weekly e-mail indicating whether anything has changed on our credit profiles. If the e-mail indicates a change, and we did not initiate that change, then it is imperative to jump on investigating what was up immediately. The e-mail gives an indicator, but we can log onto the report's site and take a closer look at the details.

Heartland Payment Systems has a Web site dedicated to the breach of their systems: Heartland Payment Systems Breach 2008 site:

The front page of the site has a statement by the Chairman and CEO of Heartland Payment Systems.

One item of great concern to us in the CEO's letter:
"... we will not rest until we have the answers to how and why this breach occurred so we can prevent any future attacks at Heartland and elsewhere."

Let's stop and think about this for just a moment ...

They do not know "how" the breach happened?!? The "why" is irrelevant. How about telling us the "when"?

To get a clue on the when, we go to the site's FAQ:

Was Heartland the victim of a data breach?

Yes. During the week of January 12, we learned we were the victim of a security breach within our processing system during 2008.

Now give that answer a once over again: "...DURING 2008"!!!

While a forensic investigation may be on the go now, if the breach was an ongoing thing that has just been discovered, will the investigators ever be able to pinpoint whether the breach originated in 2008, or 2007, or even 2006 and beyond?!?

Not only that, it was VISA, MasterCard, and other credit car companies that had to trace suspicious transactions back to Heartland before the breach became known:

How did we learn about the breach?

After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, malicious software was discovered that potentially enabled data to be compromised as it crossed Heartland's network.

The magnitude of the breach and its implications are staggering in this case. It took a group of third parties to let the company know that there was a problem with its systems.

So, we have an indication of a breach, we have a Web site with some information on it, but that is about it?!? Not only that, Heartland chose to release the news on the day of President Obama's inauguration! One need not venture into the motivation behind this, but the implications are there ... where is the company's transparency?

It leaves us with an affirmation that our skepticism of the "system", and personal data protection, expressed in the first couple of paragraphs in this blog post are well founded.

We have seen a number of high profile security breaches in our headlines over the last couple of years or so. As a result, it is up to us to keep up that healthy skepticism and make sure we cover as many of the bases as possible when it comes to protecting our identity and financial information.
  • Only use one credit card for online transactions.
  • If possible, have an ultra low limit on that credit card.
  • Obtain the card from an institution that practices call-backs for out of the norm transactions.
  • Obtain the card from an institution that allows for card number rotations on an annual or bi-annual basis to further protect the card.
  • Where possible, utilize a trusted third party payment system such as PayPal for online transactions to keep credit card information out of the merchant's hands.
  • Monitor the transaction log for bank accounts, credit cards, and credit profiles (Canadian Trans Union Credit Monitoring).
And finally, when are our legislators going to get some laws in place making it mandatory for all companies to report a breach that would impact our identities, livelihood, and personal data?

It is high profile cases, such as the Heartland Payment Systems breach, that beg the question about breaches with companies that process personal information and never report it.

Lawyers and mitigating risk to a company should never trump a person's right to know their data has been compromised ... ever.

Searches on the matter:
Some further reading:

One quote of interest from WSJ:

"One hundred Million Transactions PER MONTH"

The depth of this breach is just mind boggling.

Philip Elder
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

No comments: