Economists now embrace the concept of a recession. Information security professionals embrace the breach. As pragmatism takes a larger stage in Washington, security professionals have already come to understand the truth. Security breaches have occurred, still occur each day and will continue to occur. The questions both economists and security professionals have become to be more concerned with for both are; how long and how deep?
Heartland Payment Systems represents the next institution in need of a bailout. According to news reports quoting Robert Baldwin, the president and CFO for credit card processing giant Heartland Payment Systems, the full magnitude of the breach is yet to be known. The company that reportedly handles 100 million credit card transactions each month only became aware of a problem when Visa and MasterCard alerted them to possible fraudulent behavior last fall. Between last fall and January 2009, Heartland's internal review failed to turn up anything suspicious. The case required another outside entity, a forensic investigator, to uncover the breach.
Those affected will most certainly number tens of thousands and could easily reach tens of millions. While the potential compromise of the Heartland breach is daunting, the bigger issue at hand is that discovery required outside entities, namely MasterCard and Visa, to alert Heartland to a pattern of fraudulent transactions. The tragedy of this data breach is that even after these alerts a company that processes 100 million transactions a month couldn't find the problem. Finding the breach point required the skills of an outside forensic investigator.
The questions that remain today continue to diminish our trust in American financial systems. In the same way we question why the SEC failed to recognize the under handed activities of the Bernie Madoff Ponzi scheme, everyone today is questioning how solid IT operations are Heartland. System integrity, change management and monitoring are fundamental and foundational building blocks of any infrastructure.
This is no small or medium size business that could defend their failures by cowering behind lack of experience, skills or resources. Many well performing products are available on the market today to perform system integrity monitoring. A basic email alert to an IT systems administrator could have done much to dam the flow. At about 3 million transactions a day, even a 24-hour response time would have protected millions of people.
Tragically, many Americans already in financial turmoil will soon bear even greater risks.
I have no ill will toward Heartland for being breached; I question their most basic IT security system integrity. How can it be that a company with an audacious responsibility of this magnitude was not aware that their systems were compromised? And furthermore, be unable to locate the breach once alerted? It's not the breach that matters, it's the scale and the scope of the breach that makes me ill.
Comments (1)
I have been in sales with this company for nearly 10 years. I wish when you do these types of articles you would report some facts on the kind of reputation they have earned through the years. Heartland Payment Systems has earned a reputation of honest and fair pricing in a industry that is full of unethical pricing.They have helped many, many merchants save tens of thousand of dollors of junk fees with thier full diclosure pricing methods.
It doesnt take alot of research to get a idea of the scope of this companies value to merchants. They have over 100 exclusive endorsments by individual Associations throughout the country.
This company was vitimimized. Apparently many companies, big banks and even U.S. Govt. had security breaches.
Please remember to report the facts.
The facts are no-ones identity was stolen, no social security numbers were obtained and lastly all consumers will be protected if they report any issue in a timely manner.
Posted by Cheri krus | January 28, 2009 11:56 PM
Posted on January 28, 2009 23:56