In what may eventually become a staggering data breach that surpasses TJX in the volume of customers and accounts impacted, payment processor Heartland has announced that its systems were infected by malware sometime last year and that the firm has been leaking customer data ever since.
Heartland reported that, while determining that the infection occurred sometime last year, they only found evidence of the intrusion last week, and they immediately notified law enforcement and credit card companies. Thanks for that.
How can a payment processing firm that counts more the 250,000 businesses as clients, a company that handles more than 100 million transactions a month, go for any significant time with compromised systems and not know?
When (and if) they performed internal security assessments to determine their high risk data and the controls that were in place to mitigate or eliminate the risks associated with it, did the audit and control teams simply fail to identify malicious code as a threat? Or did they appropriately call out malware and chart their detective and preventative controls, at which point they were either hugely mistaken about the effectiveness of those controls, or there were gaps identified that were never remediated?
One of the recent trends noted in the malware front is targeted exploit code that's tailored to attack certain systems types, or designed to detect, collect, and transport high-value data types, such as Social Security numbers, EINs, credit card and account numbers, and so on.
Unlike the good old days, when hackers and crackers, script kiddies mostly, would break into a system, it was only a matter of time before that fact became public, generally because the attackers wanted the notoriety. There was a lot of noise when something like this happened.
The modern day data thieves have a much different approach - think cat burglar as opposed to someone who throws a trash can through a window to gain entry.
The glass smasher might get inside, but the crashing glass itself sounds an alarm and leaves evidence of the break-in, effectively limiting the amount of time for the valuables to be collected.
A cat burgler, by definition, sneaks in quietly, prowls the premises until discovering the items of worth that were the targets of the crime, and removes them, leaving everything else undisturbed - often times leaving few tracks and little evidence behind.
The longer an attacker can keep a compromised system hidden from discovery, the more data he (or she - equal opportunity crooks welcome) can acquire for nefarious purposes. Similarly, more information squired offsite means a much richer payoff when the data is sold to third parties or used by fraudsters to perform transactions using unsuspecting customer accounts.
One question that so far remains unanswered is how the malware was introduced into Heartland's systems. Was there a propogating worm introduced via email or through a compromised website? Did someone plug an infected USB drive into a machine? Was it an inside job?
I'd be interested in the code analysis to determine whether it's something that the existing antivirus software should have alerted on - and I understand I'm assuming here that AV protection was both active and updated. Along the same lines, were the infected systems completely patched for known security vulnerabilities and was their baseline security configuration hardened, with state monitoring enabled? What about vulnerability assessment and management?
Did Heartland employ network anomoly detection - how did this captured data leave the firm? If it was going out over the network, how did the HIDS and NIDS not fire, if deployed?
Much has been written over the past several years about security being a "defense in depth" approach, where your security and control environment is multi-tiered to hopefully prevent and certainly detect malicious events. It would appear that there were multiple failures in the Heartland case, and judging by the penalties assessed in the wake of the TJX breach (45.7 million credit & debit card numbers exposed), coupled with the cost of notifiying what could be several hundred million customers, and providing them credit monitoring services, this will prove to be a very expensive lesson for Heartland.
As written in my posting SANS 2009 Security Predictions, and my security crystal ball article excerpted at GovernmentSecurity.org, data breach legislation is a trailing indicator of security and control effectiveness. When breaches don't happen, legislators tend to focus on other things. When big breaches are in the news, there are more drum beats about the need for standardized federal laws and regulations around data protection and breach notification.
This could be the incident that tips to scale to kick off a federal response, depending on the details that emerge as Heartland's systems undergo forensic examination. Stay tuned.