Heartland Payment Systems (HPS) is the sixth largest payment processor in the United States and provides merchant services to 250,000 businesses. Last week they publically announced that they had fallen victim to a massive data breach that possibly compromised more than 100 million accounts after malicious software was found in its payment processing system.  This could be the largest security incident in history! Ironically this information was disclosed at the same time as discounter TJX was holding its long-anticipated "Customer Appreciation" sale related to the massive consumer data breach that compromised nearly the same number of accounts. The special sale was negotiated as part of the court settlement related to the data breach which was disclosed by TJX back in January 2007.

 

The security breach was first discovered back in October 2008 when Visa and Mastercard alerted HPS to unusual activity. AT that point HPS immediately notified federal law enforcement including the Secret Service as well as the private card brands upon learning of the breach. The investigation is proceeding. The breach resulted from a widespread global cyber fraud operation that inserted malicious information-stealing software into their transaction processing environment.   Sources close to that investigation say that it appears to be yet another criminal act by an organized cyber crime ring. 

 

This is just the latest incident in a long list that seems to have no end in sight. According to a study by Technolytics, the top five data breach methods are identified below (all breaches, not just financial services).

 

#1 Lost or stolen laptops

#2 Lost or stolen portable storage media

#3 Hacking via web application vulnerabilities

#4 Phishing, pharming and whaling

#5 Social engineering

 

One security expert said that it seems we patch one hole and two others are found. A recent poll found that most of the respondents wanted the software vendors whose products have vulnerabilities that are exploited to be held accountable, rather than hiding behind software license agreements.

 

Reports of fraudulent credit and debit card activity continue to flow in. No one knows what the total $$ loss will be but one thing is for sure, it won’t be small. One study found that last year each compromised customer record cost a company between $197 and $231, mostly from legal costs and lost business. What will it take before we have a fundamental change in the mindset of executives? Many treat these criminal acts as a common risk and a cost of doing business.  This mindset persists even though the cost of data breaches continues to see double digit percentage growth year-over-year. What is needed is a change of mindset and it appears the only thing that will bring that about is regulations. 

 

Fact:      HPS processes about 100 million transactions a month on its systems.

Fact:      About 40 percent of HPS transactions are from small to mid-sized restaurants across the United States.

Fact:      In 2006 British counter-terror agents and investigators stormed al Qaeda's Top Cyber Terrorist – 23 year old Younes Tsouli in his top floor flat and discovered thousands of stolen credit card account information, which is believed to have funded much of his activities. They also found that the cards were used to pay American Internet providers on whose servers he had posted jihadi propaganda.

Fact:      Back in 2005 CardSystems Solutions, one of the top payment processors, went out of business after a data breach exposed 40 million credit card accounts.