News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Jaikumar Vijayan's picture
Jaikumar Vijayan

Second Take

More posts | Read bio

January 21, 2009 - 1:51 P.M.

Heartland’s breach disclosure timing raises eyebrows

2 comments

The timing of Heartland Payment Systems' announcement that its networks had been broken into last year by unknown intruders has raised a few eyebrows.  Some see yesterday's announcement as an attempt by the Princeton, N.J.-based payment card processor to bury the bad news on a day when the media and the public at large were totally consumed with President Barack Obama's inauguration.

Considering that the breach may well turn out to be the largest ever to be disclosed by any company, one can see where the skepticism is coming from. But Jim Huguelet, an independent security consultant based in Bolingbrook, IL. thinks it's just possible that the timing of the disclosure may have been a somewhat fortuitous break for Heartland.

Huguelet was one of those who initially had been somewhat skeptical about Heartland's timing of the announcement on Inauguration Day. So he went and took a look at the domain registration information for the Web site Heartland is using to convey information on the breach. What he discovered is that the site was only registered on Monday-a day before the disclosure. That doesn't necessarily prove anything, Huguelet admits. But it does seem to suggest that the planning for the notification process started only a day before. "If it had been registered, say, last week," that might have indicated a more deliberate plan to delay the notification until Inauguration Day, he said.

Who knows? As Huguelet says, the timing might simply have been an "interesting coincidence". Heartland has not responded to requests for comment.

Heartland so far has not disclosed when exactly it was broken into or for how long the hackers had access to payment card data as it traversed the company's networks or how many card accounts might have been compromised. But some, like Gartner's Avivah Litan think the total number of card accounts that might have been compromised could eventually exceed 100 million-a number that would dwarf the 45.6 million announced by TJX in Jan 2007.

If you are forced by state laws to disclose a data breach, yesterday would've been a perfect day to do it for sure. But if the numbers we're talking about here are anywhere near accurate, the timing of Heartland's announcement is going to do absolutely nothing to keep a lid on the story.

What People Are Saying

Add new comment

Jai's Blog

Submitted by Anonymous on January 28, 2009 - 2:39 P.M.

Heartland disclosed the information only after the comapny was contacted by the Wall Street Journal that it was breaking the story, which I believe ran last Monday. Typically, data breach specifics can be withheld so long as law enforcement is involved. However, VISA and MasterCard began sending CAMS alerts to card issuing financial institutions since at least November 2008. No one knew where the breach happened, only that a large-scale breach did happen. Now, in an effort to protect their customers, Heartland refuses to tell consumers the names of the businesses for whom they provide processing services, which in turn disables consumers' ability to protect themselves.

Reply | Report this comment

Heartland's announcement date

Submitted by Tom Mahoney on January 21, 2009 - 3:12 P.M.

I might speculate on another possibility.

There was obviously a leak . As early as Friday afternoon one of our informants told me this was coming. I had everything but the all-important name of the processor. I even put queries out to my LinkedIn contacts trying to get more information. If I had the information, you can bet others did too.

My guess is that they wanted to put it off longer - most breach victims do. I'm wondering if the disclosure came on Tuesday because they discovered this was going to go public. They could have disclosed on Monday but all the banks were closed.

Tom Mahoney, Director
Merchant911.org

Reply | Report this comment

Related Posts

"TJX hacker" indicted for huge Heartland breach: SQL inj. FAIL
Heartland CEO gets a smackdown after his CSO interview
Heartland breach: speculation is counterproductive and harmful
Spam culture, part 3: Nigeria (and 419 scams)

Today's Top Stories

Which IT projects are right for the cloud?
Five ways to lose your identity (and wallet) this holiday season
Ciena will pay $769M for Nortel's metro Ethernet business
Report: Microsoft may pay News Corp. to delist from Google
Intel: Don't look for one device to do it all
Top 5 Chrome OS myths debunked
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.