Heartland Payment System, the NASDAQ listed credit card processing company (HPY), has been hit by a massive data theft, with a reported 100 million credit card details stolen over a period of weeks, despite being PCI vetted.
Heartland which “handles over 4 billion transactions per year, putting [HPS] in the top five processors of payment transactions in America.”, was the victim of an attack on their systems for several weeks.
The incident, first reported on 20th January 2009,reports suggested this was part of a global cyber crime attack and that the DoJ, and other federal agencies were involved in the investigation.
Initial reports were suggesting that attack used key stroke logging software to steal the data. As over 100 million details are reported stolen, this cannot be a single machine that has been compromised by thousands of machines around the company. Also, if it is a key stroke logger how long would it take for the all those details to be typed in? For this reason a keyboard logger was unlikely, and a network sniffer would be a more appropriate attack and collection method.
The article by eiQViews shows that HPS data was vetted by PCI, and its systems were logged, but this did not stop the data breach
- The malware was installed on a number of devices, which means the configuration was changed in some way shape or form. SecureVue tracks configuration data and report on changes that don’t adhere to the baseline policy.
- Key loggers and sniffers are very resource intensive, so the compromised devices would have displayed significant performance anomalies. SecureVue monitors performance characteristics of the devices, so the administrators would have been alerted to these issues.
- The malware was some kind of executable, and SecureVue’s asset management capabilities track executables on managed devices, so the attack would have caught that way as well.
- Finally, the attackers can’t monetize the stolen credit card data until they send the data outside of the network for mining, so our network flow analysis would have alerted us to the fact that a strange traffic flow was being sent from those devices to a site outside of the network.
Despite all of this the data theft was not detected, during the weeks that it was reported to have occured. The fact that Hearltand have set up a website called 2008Breach indicates that the attacks were going on last yea (or perhaps its a PR move to make that attacks look like last years news).
If the attacks did start last year, during Christmas, this would have been an excellent move by the attackers, knowing that there is generally a reduced staff on during holiday periods, perhaps mimicking the infamous Christmas Day attack. Perhaps its time that IT security departments do not reduce the staff during the holiday periods, as reports suggest this is an optimum time for attacks .
Currently this attack is being reported as the biggest attack of its nature ever, and the numbers are astounding. Perhaps next year there will be yet a new record.