It's a good day to disclose the largest credit card data breach ever

It's a good day to disclose the largest credit card data breach ever

Summary: While the majority of American media is glued to the quadrennial spectacle that is the Presidential inauguration, Heartland Payment Systems has uncovered a piece of malware hidden in their payment processing system. This has apparently lead to what may be the largest data breach ever.

SHARE:
TOPICS: Banking
20

While the majority of American media is glued to the quadrennial spectacle that is the Presidential inauguration, Heartland Payment Systems has uncovered a piece of malware hidden in their payment processing system. This has apparently lead to what may be the largest data breach ever. Hearland Payment Systems, a credit card payment processor, apparently chose the completely innocuous day of January 20th, 2009 to inform the world that a data breach occured, and that it did not affect any "merchant data or cardholder Social Security numbers, unencrypted PINs, addresses or telephone numbers". What possibly was affected, however, was every credit card number that traversed their payment processing system.

Anyone who used a Visa or Mastercard at one of a quarter of a million businesses may have been affected. For the small number of you who fall into this category, I recommend going through your old credit card statements just in case you were one of the victims. In all honesty, the probability of any one person being victimized by this is pretty slim, but vigilance is never a bad thing.

Heartland has apologized for the incident, and has put up a website at 2008breach.com to communicate with the public about the issue.

Topic: Banking

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion
  • "Today I say to you that the challenges we face are real.."

    To take a line from today's historic event "today I say to you that the challenges we face are real..." As our economy adjusts, downturns, or starts to recover (pick your preference) there are numerous threats we are facing and this is just one example where consumers are vulnerable and the critical infrastructure we take for granted is being attacked through a weakened link. Malware has become very targeted and providing protection from it will only come when there is very granular visibility to not only application changes but data and system level object changes and to have the controls to deny all unauthorized change. Normally you wouldn't trust your financial assets to an adviser without having controls to report and verify their activity - but Madoff and now others are proving that trust must be earned and not taken for granted. Let's get on with these hard lessons and move forward.
    ksingletary
  • RE: It's a good day to disclose the largest credit card data breach ever

    What operating system?
    tburzio
    • When the operating system isn't mentioned.

      It's usually one of Microsoft's.
      kozmcrae
      • i guess it easy

        I guess it easy to make fun of MS when you have no real clue...
        dave@...
        • Right...

          Who in the world would think that Heartland is using Macintoshes in their corporate offices?
          Metronome49
    • Since ppl will post their guesses

      I counter the other with it might be a Red Hat Linux, but that's just a counter guess.
      Boot_Agnostic
  • For the small number of you...

    You are funny Adam!
    recurvebowyer
  • RE: It's a good day to disclose the largest credit card data breach ever

    I think I've just found the explanation for the fraudulent activity on my credit card last week... I'm always extra cautious as to where I use my credit card information. This goes to prove that even when you're the most cautious you can be, the incompetence of the people handling your credit card data is always there to help online criminals screw you anyway. A few more of those and visa/mastercard might finally realize that relying on typing a few numbers to charge one's bank account is piss poor security.
    carthaginian1
  • RE: It's a good day to disclose the largest credit card data breach ever

    What's been hacked is called "Incompetent engineer 1.0", it's actually compatible with any OS.
    carthaginian1
  • Keylogging S/W was discoverd

    "There were two elements to it, one of which was a keylogger that got through our firewall," he said. "Then subsequently it was able to propagate a sniffer onto some of the machines in our network. And those are what was actually grabbing the transactions as they floated over our network."

    Source:

    http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=212901505&subSection=News



    Off the shelf binary compatible software has no place in mission critical areas, use cheap fly buttons and your pants fall down.

    Place your bets on the leaky culprit OS,

    Ten bucks says MS, monculture makes the hackjob easier :)
    Alan Smithie
    • Not necessarily...

      we can't be so quick to point to an O/S. I'm betting a human had a hand in this, either intentionally or not. Remember the major online bill provider that got hacked last month? that wasn't because of what O/S was in their environment...it was because a tech at that company recieved an email "claiming" to be from their domain registrar, needing the domain login creds updated, the tech clicked on the link and gave the keys away...THAT'S RIGHT, THE TECH CLICKED ON AN EMAIL LINK AND LOGGED IN

      If we put as much time and effort into user education and accountability as we do arguing about strengths/ weaknesses of an O/S, we would see a dramatic drop in these types of things.

      Social engineering will always be greater force than an O/S's strength or weakness because people's decisions, whether malfeasant or accidental, are not required to abide by rules, while an O/S is.
      IAmLegion20ll
  • Trust "Cloud" computing? Not a chance.

    Hmmm, put all my "security" in the hands of a internet based server? I don't think so!
    No_Ax_to_Grind
    • Perhaps, and this is just maybe..

      The cloud host will be security conscious?

      If so, then in the case of a small business owner/operator, I'd say you'd be safer entrusting your security to them over doing it yourself.
      User07734
  • The 250K 'businesses' is incorrect. Please get your facts straight.

    Your statement, "Anyone who used a Visa or Mastercard at
    one of a quarter of a million businesses may have been
    affected." is incorrect.

    From 2008breach.com, "Heartland Payment Systems, Inc.
    ... delivers credit/debit/prepaid card processing, payroll,
    check management and payments solutions to more than
    250,000 business locations nationwide."

    Two things: 1. Not all customers use their payment services, some use their payroll and cheque management
    solutions. 2. It's 250K locations, not individual businesses.
    I imagine many of their customers have more than one
    location, therefore far less than 250K customers.
    asad.quraishi@...
  • Victims

    You can count my wife and I as victims. She had to have her Citibank Visa replaced last week and I found out on Monday that my Chase Mastercard had been compromised by "fraudulent activity" as per Chase's fraud department. Citibank said her card was hit with charges from Great Britain and Saudi Arabia for only a few cents each and Chase said my card was hit with a charge from Texas for a few cents. Someone was testing the numbers to make sure they were good, but luckily the activity was spotted before any large scale purchasing was made.
    Illudium Q-36 Explosive Space Modulator
  • gee... I often wonder

    are these breaches simple ERRORS

    or the result of the NSA or any other agency HAVING A
    LOT OF FUN amalgamating data & letting corporations take
    the hits for 'oopsies'?

    seriously.

    there's a LOT OF MONEY for HomeLand Security contracts,
    privatized data amalgamation & 'War on Terror' intelligence
    services to 'protect you' by simply...

    surveilling you.
    BlueBerry Pick'n
  • How often do we have go through this?

    Who are these people and who authorized them to hold sensitive data on individuals? It seems like every Tom, Dick, and Harry can start a business that holds sensitive data without any safeguards. Are these kinds of business regulated? And by whom? Do we have recourse against them?
    duclod
  • RE: It's a good day to disclose the largest credit card data breach ever

    Price Waterhouse Cooper and Carnegie-Mellon???s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture ??? and people aren???t getting the training they need. For example: Microsoft patched for this virus 4 months ago. I like to pass along things that work, in hopes that good ideas make their way back to me, and as CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
    The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html -
    The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
    In the realm of risk, unmanaged possibilities become probabilities ??? read the book BEFORE you suffer a bad outcome ??? or propagate one.
    johnfranks999
  • RE: It's a good day to disclose the largest credit card data breach ever

    <a href="http://www.msimerchantservice.com" title="merchant service">This company</a> has excellent customer service, no contracts or cancellation fees,very reasonable rates, AND HAS NEVER HAD A SECURITY BREACH. As a business owner, I have never had any issues with them, and plan on keeping them as my processor for a very long time. My sales rep was Danielle at (877) 877-9592.
    Sandra_Jean
  • RE: It's a good day to disclose the largest credit card data breach ever

    Great!! ! thanks for sharing this information to us!
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut