Heartland Payment Systems Hacked, Possibly 100M Accounts Stolen

Daily Tech ^ | January 21, 2009 11:19 AM | Tom Corelis

[xcamel]

Identity thieves install spyware to monitor transactions from the inside

In a press release timed to coincide with the inauguration of President Barack Obama, credit card processor Heartland Payment Systems announced Tuesday that it suffered a grievous security breach sometime in 2008, allowing hackers the opportunity to steal credit card information on what is possibly more than 100 million accounts.

Heartland is the sixth largest payment processor in the country, and specializes in transaction processing for small-to-medium-sized restaurants and retailers. According to Wired’s Thread Level, it processes more than 100 million transactions a month.

Federal investigators determined the source of the breach only last week. Spyware installed somewhere on the company’s internal network that sniffed unencrypted credit card transactions as they passed through Heartland’s systems.

“Heartland believes the intrusion is [now] contained,” reads the press release.

Actual damage assessments are still in progress, and the real question is just how much data the malware was able to capture. Heartland CFO and president Robert Baldwin, in an interview with BankInfoSecurity.com, said his company was confident that the only data picked up was cardholders’ names and credit card numbers.

Baldwin would not speculate on the actual number of credit card accounts exposed. The company’s press release, however, could confirm that the breach had no effect on the company’s other services, which include payroll and check processing, micropayment solutions, and its “recently acquired” Network Services and Chockstone processing platforms. Similarly, cardholder’s addresses, PIN numbers, and other personal data were also unaffected.

The unknown hackers’ sniffers were able to pick up credit card numbers because the data is sent unencrypted over Heartland’s internal network, a policy that Baldin justified as necessary “to get the authorization request out.”

Late last month, various blogs reported a number of mysterious, fraudulent sub-25-cent transactions appearing on readers’ and bloggers’ credit card statements, coming from a nonexistent company called “Adele Services”. While it appears these events are unrelated, some consider the timing suspicious.

“There is no hard evidence that the company's data leak was responsible for the sudden surge of mysterious microtransaction fees we reported in early December,” writes Ars Technica’s Joel Hruska, “but the timing is extremely coincidental. The December attacks were never successfully attributed to any single company or credit card, but instead affected a seemingly unrelated group of people.”

“Heartland may — and I do stress may — have been the hidden link between them,” he said.

[traditional1]

The type of folks that are Obamamaniacs are also the types of folks who would steal and spend other peoples’ money (even on credit cards).

[xcamel]

99,999,999 others, to be exact...

[fanfan]

“Heartland believes the intrusion is [now] contained,” reads the press release.

LOL!

[BigDaddyTX]

Match that data with all of the $25 BO internet donations, remember how his internet guru was not aware that credit card processing companies had the ability to perform address verifications?

[xcamel]

“The investigation of the Century” - that aint-not-ever-gonna-happen

[Not_Who_U_Think]

Most amazing is that a company of this size and exposure would not be doing real-time network monitoring. At the very least, a decent firewall and log review would have shown the suspicious outbound traffic. There is just no excuse for this.

[DaoPian]

Exactly the same thing happened to me yesterday as well.

1st Transaction $103 ITunes

2nd Transaction $206 ITunes denied by bank.

I asked about it and they claimed they have people monitoring transactions and they notice unusual activity which is out of the normal pattern of purchases. I called BS, but they played dumb.

[rednek]

I use Heartland for processing in my business. This is the first I have heard of this. I guess a phone call is in order. Someone has some “splainin” to do.......red

[RKBA Democrat]

Another reason to pay cash.

[SunkenCiv]

Hey, the money for the inauguration had to come from *somewhere*.

[fanfan]

Oh, jeez, I wouldn't want to be in your shoes.

Depending on other people very rarely works out.

[meyer]

OK, so who’s Heartland and who’s credit card accounts do they process?

[Starfleet Command]

And this effects my Obama-sourced gas tank fillings and mortgage payments how?

Seriously though, this is precisely the financial infrastructural component weakpoint that Obamacampaign08 took advantage of to help itself to American's credit funds.

Looks like Hell has dissension in its ranks...

[Enterprise]

It appears that we did not have anything charged to the card. They need the 3 digit security code on the back if they are going to charge something online (ideally) and they need the 4 digit code to use it as a debit card. We tend to use the card to try to pay cash for gas and restaurant expenses, so now it will be 7 to 10 days before we get another card. Bummer.

[sausageseller]

They offer payment services. 6th largest processor of credit cards.

They also do checks and many other services. You don't really know if a business is using them. Even if you ask most of the people running your card would never know.

I think it is kind of dirty they released this info yesterday.

[randog]

This is just an excuse for poor security practices.

Yup. Heartland basically allowed their HR department to define their internal security. I'll betcha the HR director said, "Him?! He's the last guy I woulda suspected!!"

[ElkGroveDan]

“Sub-25 cent transactions” This is sorta new, isn’t it. The hackers seem to be doing what banks, etc. have been doing for decades - charge lots of people a little money. No real “victims” in a case like this.

No those transactions are "tests" if they go through, then the fraudsters lay low or sell the card info with the "test" report to prove it's valid, and then POW the big charges come in later.

[grey_whiskers]

Heartland CFO and president Robert Baldwin, in an interview with BankInfoSecurity.com, said his company was confident that the only data picked up was cardholders’ names and credit card numbers.

Look for an uptick in web-based donations to The One's campaign. /sarc>

Cheers!

[ozark hilljilly]

Ahhh jeez! This is the company I do biz with to handle credit card transactions at my store!
This is news to me.
HO-LEEE CRAP.

[N3WBI3]

Never mind the OS platform, how about just encrypting credit card numbers on their local network?

Mind waiting 10 minutes for the authorization to go through? Trust me if you decide to encrypt all the transactions you are going to miss every SLA you have.

I think what he means is that internal encryption would delay authorization by a second or two, and besides, it would cost money.

A previous employer decided to do ejb to ejb encryption on a J2EE platform and saw response time go from 2 seconds to 5 minutes. Yes per transaction in isolation you're only talking about 1 or two more seconds but that causes a serious log jam within a shot time and eventually the load on the cpu bring everything to a halt.

The bigger question is what was their security policy beyond encryption. What workstations had direct access to the core network and why was heartlands monitoring of outgoing traffic so weak.

Now I have to worry if my card is compromised. I think the inevitable lawsuits will cost a lot more that fast internal encryption.

We are going to have new cards issued regardless...

My company does encryption on all data and telephone leaving our building.

But not on your internal network!

Modern, fast encryption slows transmission very minimally.

Any encryption worth it is going to slow the processing of millions upon millions of transitions down significantly on a high volume app..