Heartland card data heist could be part of a global scam

Fortify Software, the application vulnerability security specialist, says that the Heartland Payment Systems data breach - which could turn out to be largest data heist of its type in history - was probably the result of highly sophisticated software installed on the card processing firm's computer systems.

"It will be interesting to see how this incident pans out. Our best guess is that the software was either installed by a sleeper, a rogue employee working inside the firm who passed the usual vetting procedures, or a direct systems attack followed by the insertion of a custom application on the processor's IT resources," said Rob Rachwald, Fortify's director of product marketing.

"The $64,000 question, of course, is whether Heartland and the US Secret Service, who are working with company staff on an investigation, will reveal the actual modus operandi of the fraudsters. I somehow think this will not happen," he said.

According to Rachwald, assuming - as seems likely - the rogue software was inserted into Heartland's payment computers, the question of Secret Service staff lips will be `what happened to the security systems the card processor employs?'

Heartland, he explained, is the sixth largest card transaction processor in the US with around a quarter million businesses on its books, and processes 100 million transactions each month.
"Reports are also coming in that Forcht Bank, one of the top ten banks in Kentucky, has started reissuing more than eight thousand debit cards to customers, owing to its systems being compromised. If the two incidents are related as Secret Service and Department of Justice officials have intimated, then the card processing industry could have a major challenge on its hands," he said.

"Both incidents seem unrelated, since Forcht uses a different transaction processor to Heartland. Unconfirmed reports also suggest that these two cases could be part of a much larger global scam, although that remains to be confirmed," he added.

Rachwald went on to say that the authorities have been throwing everything they have at the Heartland data breach, with two forensic audit teams working at the New Jersey card processor since late last year, when Visa and MasterCard notified the company of suspicious activity. Forch Bank's transaction processor, Star, he added, is also investigating the source of its loss, data from which has been tapped to produce a number of cloned debit cards.

"It's good to see that Heartland has established a Web site - www.2008breach.com - to provide information about the incident to customers and other interested parties, but the authorities and the IT security industry in general is going to want to know how these incidents happened, and how they can be prevented from happening again in the future," he said.

For more on the Heartland data breach: http://tinyurl.com/8admv4

For more on Fortify Software: http://www.fortify.com

Yvonne Eskenzi