Heartland Data Breach May Well Have Been

¶ … Heartland Data breach may well have been one of the biggest security breaches ever perpetrated.

Heartland Payment Systems, Inc. (HPS) provides debit, prepaid, and credit card processing, online payments, check processing, payroll services as well as business solutions for small to mid-sized industries. Approximately, 40% of its clients are restaurants. HPS is the fifth largest credit card processor in the United States and the 9th largest in the world.

The breach occurred in 2008 at the Princeton, N.J., payment processor Heartland Payment Systems and may well have compromised "tens of millions of credit and debit card transactions" (Krebs; online). Revelations were announced to the public on January 20, 2009, the day of Obama's inauguration.

Heartland processed payments at the time for more than 250,000 business when it began receiving fraudulent reports from MasterCard and Visa from cards that had been used by merchants who had relied on heartland when processing payments.

Ultimately, it was discovered that the source of the breach lay in a piece of malicious software that had been inserted in the company's payment processing network and that recorded payment card data of thousands of Heartland's retail clients as it was being sent for processing to Heartland.

The stolen data included names, credit and debit card numbers and expiration dates as well as the digital data that was encoded onto the magnetic stripe that is placed on the backs of credit and debit cards.

With that information, thieves can construct fabricated cards and plant the data into those cards.

With intense investigation under way and with concentrated efforts to revamp their security, Visa and Heartland issued a statement, on May 1, 2009, that Heartland had successfully validated its compliance with PCI DSS and had been returned to Visa's list of PCI DSS Validated Service Providers . In August 2009, Albert Gonzalez was indicted for fabricating and organizing the fraud.

The company, however, had lost more than $12.6 million, a figure which included legal costs and fines from MasterCard and Visa (Messmer, 2009).

The Heartland fraud came close after a smattering of similar data breach securities at several other major U.S. card processors. That same year, RBS Worldpay, a branch of Citizens Financial Group Inc., disclosed that a data breach of its payment systems may have affected more than 1.5 million clients, whilst the year before, TJX Companies Inc., associated with Marshalls and TJ Maxx revealed that several data breaches over a 3-year period affected approximately 45 million credit and debit card numbers.

Meanwhile, in 2005 a breach at another payment card processor CardSystems Solutions impacted 40 million credit and debit card accounts. (Krebs, 2009) .

A result of the heartland fraud was the novel introduction by the company of end-to-end encryption; the first of its kind in the U.S.A. This end-to-end encryption was imported from Spain where it was hugely successful partially due to its keeping the encryption key management simple for merchants.

Heartland had to go through the five basic parts to deploying end-to-end encryption in the processing environment, and it encrypted most of its processing components with help form other parties.

Many of Heartland's merchants joined in purchasing the specialized equipment that was necessary for the project, and Heartland sold the equipment at an attractive price.

This end-to-end encryption was a novel approach and was closely watched by interested parties such as Visa with the intention of possibly adapting the system some time in the future would it prove to be advantageous.