A few other confounding aspects of this breach:
- The date of compromise is unknown
- Heartland had to be notified of this by Visa and Mastercard. They did not discover it on their own.
- Transactions occur unencrypted, according to the bankinfosecurity.com report: 'Data, including card transactions sent over Heartland's internal processing platform, is sent unencrypted, he explains, "As the transaction is being processed, it has to be in unencrypted form to get the authorization request out."'
For the past year, Robert O. Carr, Heartland's chairman and chief executive officer, has been advocating for payments industry adoption of this technology — which will protect data at rest as well as data in motion — as an improvement for payment transaction security.Certainly this claim seems dubious. In any case, the data capture and exfiltration appears to be enabled by malware installed on hosts in their payment systems network. Disk, database, and transactional encryption won't prevent compromised hosts from having access to the data in clear-text form as it's processed - clearly, this data must be unencrypted at some point in the process in memory (at least).
This is a whole bucket of fail right here.