Heartland Processor Breach: 3 indictments announced

Let’s begin with the relevant links:

There a few items of interest in the indictment worth noting.

The process of planning the breach was, as you would expect for something of this scale, very methodical. It involved identifying breach targets via reviewing Fortune 500 lists, actually going to the retail location to determine what hardware was used for acceptance and, finally, identifying the processing systems that the targets were using (i.e. someone like Heartland)

It would appear that the attack vector itself was SQL injection. For more information on the potential details, I defer to the experts at Securosis.

What I also find intriguing is that one of the three named in the indictment has also been indicted in the TJX breach. This indictment names Heartland, 7-Eleven, and Hannaford as well as two “other” companies that remain unnamed. This particular defendant, who is named in the indictment, actually functioned as an informant for the Secret Service in a case regarding another group of hackers. This defendant was the only one residing in the United States. The other two defendants (unnamed) “resided in or near Russia.”

There is one element of the indictment that I will quote in its entirety:

It was the object of the conspirarcy for {Defendants} and others to profit from the sale and fraudulent use of credit and debit card numbers and corresponding Card Data stole from the Corporate Victims’ computer networks.

Relatively self evident, eh?

And yet, quite a few of the people I speak with (who aren’t related to the payments industry) about the concept of a card breach start with the question…”Why would someone steal card numbers?”

Perhaps it is overly dismissive or may come across as trite…but I always answer “For the money.” I recognize that the question, when asked, is typically more of a morality question. And yet, the concept of stealing payment account data is so foreign to the majority of consumers and merchants simply don’t consider the concept tenable.

There is something to be learned in that realization. The concept of discussing the importance of a risk-based approach to security may need to start at an earlier level than that which the industry engages today. I always like to begin such discussions with the “Why”.

Why does security matter?

And yet, maybe I should begin elsewhere*…

Why does someone want your, or your customers, payment account data?

What’s your perspective? Agree? Disagree? Anything to add? Critiques? The comment form is below…

* I recognize this is dependent upon the audience.

August 18, 2009

Leave a Reply

Your email address will not be published. Required fields are marked *