Wednesday, January 21, 2009

More on the Heartland Breach...a lot more...

Clarification:  In a Monday post, "Hackers Affect Debit and ATM Networks" I alluded to the fact that 8500 debit cards were disabled by Forcht Bank because they were compromised. "The cards were comprised when a retail merchant’s computer system was hacked, Forcht's COO Eddie Woodruff said. The breach affected customers of multiple banks and multiple debit and ATM networks".  Woodruff went on to say: “Our debit card processor, which is a company called STAR, they had a retail customer, we’re not exactly sure who the retail customer was, and the information we believe may have been compromised,” he said.  Well this this is not entirely true. 

In fairness,  I also reported that First Data Corporation, which operates the STAR Debit and ATM Network, would not comment on how many other banks were affected, but did release in a statement Monday that "the debit card issue we were alerted to could affect not only STAR but also other debit networks."  They also said: "this situation is not related to any First Data processing systems or practices."
It now seems like the "hackers affecting the debit and ATM Networks was related to the Heartland Payment Systems (HPS) breach.


I would look for the Heartland breach to get bigger. From everything I've gathered,  it looks to me like the malicious software went undetected for  about 6 months. 

Right now, the conjecture is that  100 million cards have been breached,  making it the largest breach ever, blowing away TJ Max (45 million, later bumped to 92 million in court papers) and CardSystems. (40 million)

But 100 million is HPS' "monthly" volume.  As I said,  this went undetected for months.   So, as did the numbers for TJX, expect that "100 million" number to rise.Heartland had 600 million cards go through from May through "late fall" when they discovered the breach.  So the final numbers will come in between 100 and 600 million.
That's scary enough but what's really scary here is that Heartland got breached as they unencrypted the information to get authorization from Visa, MasterCard, American Express and Discover.   Another words, encrypted information needs to be unencrypted in order to complete the transaction.  Heartland's COO, Robert Baldwin stated, “We have industry-leading encryption, but the data has to be unencrypted to request the information, the sniffer was able to grab that authorization data at that point.”

So if that's the point that the sniffer was capable of sniffing, then this is nothing to sneeze at.. Hackers have taken another "giant step" for hack-kind...  This very well may go down in the payments industry as "The Mother of All Hacks.  Heartland is sure to take a huge financial hit.

"I'm shocked that their stock was only down 7 cents today.  I really thought their "inauguration day" "non"-announcement would rub people the wrong way and it would be way down.   As people start to realize the magnitude of the breach, and therefore the losses associated with them, I expect HPS stock get "massacred" by...ironically, "Valentine's Day."   

And no...no...no...I'm not "heartless" just cynical...we (Pay By Touch) bought CardSystems after their humongous 40 million card breach and the aftermath, including, but not limited to expenses revolving  around:  losing customers, losing ISO's, dealing with FTC, Visa,  MC, MasterCard and Discover bled us dry.  Don't believe me?  Ask anyone there.  Acquiring CardSystems after the breach was a huge mistake.  Dealing with the breach was expensive and time consuming.  (Click here for FTC reports related to CardSystems)

Don't believe me...how about Avivah Litan?

Avivah Litan, a data security analyst, said that the Heartland breach could result in hundreds of millions in losses and other expenses. “If you add it all up, including legal costs, it could be as much as half a billion dollars in losses — or twice as big as TJX,” she said.

Heartland has a tough road ahead of them...wonder how many shares of HPS stock Bob Carr sold, if any, after May 1st and prior to yesterday... 

PIN Debit Payments Blog
 


Reblog this post [with Zemanta]

Disqus for ePayment News