See your link here
Biggest ever credit card data breach
1 commentIn Wednesday's IT Blogwatch, Richi Jennings watches bloggers watch the "biggest ever" breach of credit card data. Not to mention the No Pants subway ride...
Jaikumar Vijayan reports:
A data breach disclosed [Tuesday] by Heartland Payment Systems may well displace TJX Companies' January 2007 breach in the record books as the largest ever involving payment data with potentially over 100 million cards being compromised.Heartland, a N.J.-based provider of credit and debit card processing services said that unknown intruders had broken into its systems sometime last year and planted malicious software to steal card data carried on the company's networks. The company, which is among the largest payment processors in the country, claimed to have discovered the intrusion only last week ... Given that Heartland processes more than 100 million card transactions per month, it is very possible that the number of compromised credit and debit cards is at least that much.
Dan Goodin adds:
Heartland called in auditors after people at Visa and MasterCard reported "suspicious activity surrounding processed card transactions." ... [but] stressed that no merchant data, cardholder Social Security numbers, unencrypted personal identification numbers, addresses, or phone numbers were exposed during the breach.
...
The company said it is working with investigators from the US Secret Service. It has also set up a website called www.2008breach.com to provide additional information to affected cardholders.
Brian Krebs counts on his fingers:
If accurate, such figures may make the Heartland incident one of the largest data breaches ever reported.Robert Baldwin, Heartland's president and chief financial officer, said the company, which processes payments for more than 250,000 businesses, began receiving fraudulent activity reports late last year from MasterCard and Visa on cards that had all been used at merchants which rely on Heartland to process payments.
Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country.
Mike Masnick waxes cynical:
In the past, we've joked about how with pretty much every security breach, there's an initial estimate of the damage done, followed much later by a second report that admits the breach impacted many more people. It happened with the VA. It happened with Choicepoint. And, it happened with TJX.
...
Heartland appears to have picked a pretty good day to announce a security breach that may impact over 100 million people. Everyone's off paying attention to the inauguration, so they might miss the news as it comes out today -- but they're likely to hear about it soon enough ... Considering they figured out what happened a week ago, it does seem a bit of interesting timing to wait until the inauguration was underway to disclose this information..
Rich Mogull laughs:
I want you to roll that number around on your tongue a little bit. 100 Million transactions per month. I suppose I’d try to hide behind one of the most historic events in the last 50 years if I were in their shoes.
But Kim Zetter channels the excuses:
Baldwin said Heartland's announcement on Inauguration Day was not intended to bury the news. He said the company first found clues pointing to the malware last week and worked through the weekend to uncover it in the system. Employees then spent Monday, a holiday, coordinating with the Secret Service, the Department of Justice and the card issuers to get approval for a press release.
...
Heartland didn't want to delay the announcement to Wednesday, for fear of a leak that could lead to insider trading on the public company's stock.
Jeremy Wagstaff is depressed:
What this new breach seems to tell us is that the bad guys are—and probably always have been—smarter than the good guys. Data within a payment processor like HPS does not need to be encrypted—indeed, the company argues it can’t be encrypted, because it needs to be processed.
...
But all this tells us is that the security measures in place to protect our data are not enough. God knows how that malware got into their computers. And why it was so hard to trace once it ... But the lesson from this miserably handled episode has to be that security and oversight need to be tightened, while transparency towards customers—the individuals who have to pick up the pieces, by scanning their monthly statements for months to come for possible fraud—has to be seriously improved.The bigger issue, of course, is to finally wake up to the fact that malware is no longer some obscure corner of security matters, but something that affects all of us.
And finally...
Buffer overflow:
- Jason Kottke: The country's new robots.txt file
- Dan Frommer: Apple iPhone Sales Drop 24% In U.S. During Q4 — Survey
- Timothy Prickett Morgan: IBM defies hardware woes with record 2008
- Aza Raskin: Test Pilot: Vision
Other Computerworld bloggers:
- Seth Weintraub: Apple earnings may surprise (AAPL)
- Eric Lundquist: President Obama's speech in the air on channel nine
- Mike Elgan: Barack Obama: Digital-Nomad-In-Chief
- Preston Gralla: Seven reasons you need Windows 7
- Preston Gralla: Are Internet child safety concerns overblown or understated?
- Barbara Krasnoff: Obama's inauguration via the Web: Imperfect, but still very cool
- Barbara Krasnoff: EMR/EHR MUST go forward, but not until safeguards are in place
- Dan Tynan: WSOD: What should Obama do?
- Dan Tynan: SaaS's billing battles
- Eric Ogren: Sana's behavioral approach is put in its place
- Shark Bait: Flush Twice - It's a long way to the management offices
- Shark Tank: Spoilsport!
Like this stuff? Subscribe to the RSS feed.
Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.
Previously in IT Blogwatch:
Print
Email this
Digg this
