2009-02-14

Irresponsible disclosure

Did you know that last year, Heartland Payment Systems suffered a data breach that "may have compromised tens of millions of credit card transactions?" Me neither, until I received a notice in the mail that my card may have been one of the ones compromised. Why hadn't we heard of this? Perhaps because Heartland decided to announce the data breach... wait for it... on inauguration day. Curious timing, don't you think, considering the breach happened last year?

A few other confounding aspects of this breach:
  • The date of compromise is unknown
  • Heartland had to be notified of this by Visa and Mastercard. They did not discover it on their own.
  • Transactions occur unencrypted, according to the bankinfosecurity.com report: 'Data, including card transactions sent over Heartland's internal processing platform, is sent unencrypted, he explains, "As the transaction is being processed, it has to be in unencrypted form to get the authorization request out."'
Heartland boasts their advocacy for end-to-end encryption despite that last bullet:
For the past year, Robert O. Carr, Heartland's chairman and chief executive officer, has been advocating for payments industry adoption of this technology — which will protect data at rest as well as data in motion — as an improvement for payment transaction security.
Certainly this claim seems dubious. In any case, the data capture and exfiltration appears to be enabled by malware installed on hosts in their payment systems network. Disk, database, and transactional encryption won't prevent compromised hosts from having access to the data in clear-text form as it's processed - clearly, this data must be unencrypted at some point in the process in memory (at least).

This is a whole bucket of fail right here.

No comments: