This is the fifth in the series of Security Fails of 2009. As 2009 draws to a close I think no one would argue that this has been an extremely eventful year for IT security. While others will soon be trotting out their “best of 2009” lists, I thought I would instead visit some of the prominent fails of 2009.
In January of 2009, it was disclosed that Heartland Payment Systems had experienced an intrusion into their computers that may have compromised over 100 million customer records. After the dust settled, the breach was found to involve 130 million customer records, pushing this breach well past the previous record represented by the 2007 TJX breach that compromised 94 million records. Heartland processes 100 million payment card transactions per month for 175,000 merchants.
By December the attack was traced to admitted TJX intruder Albert Gonzalez who eventually entered into a plea agreement on the Heartland breach and additional charges that he hacked into Hannaford Brothers, 7-Eleven and two other unnamed national retailers. Heartland has allocated $12.6M for the clean-up, and as of today Heartland was still settling with American Express ($3.6M) and resolving other class action suits.
The scope of the breach re-energized conversations about the efficacy of the PCI standards and the general state of fraud protection for card based transactions. The dialogue became more interesting when Heartland CEO Robert Carr did an interview with Bill Brenner of CSO Magazine where Carr laid the blame squarely on the audits done by their Qualified Security Assessors (QSAs). Carr’s comments were viewed by many in the security community as “disingenuous” as most believe that the source of the breach could have been eliminated if Heartland had applied some generally accepted security controls.
PCI has long been an industry hot button, and the Heartland attack was illustrative of the issues at hand. Heartland appeared to be in full compliance with the PCI standards, but was attacked by essentially a “garden variety” SQL injection. In an interesting twist, Heartland’s traditional signature based tools missed the attack, but the attackers actually used antivirus software to cover their tracks and avoid detection.
So what are the lessons learned? Heartland demonstrates that even the most sophisticated companies in regards to IT security are still far too reliant on signature based tools and must look to new and evolved technologies to close security gaps that allow long known vectors such as SQL injection to breach their perimeters. Heartland is also a great “exhibit A” that compliance does not equal security; it is only a temporary measure that certain standards were in place at a point in time. Finally, in spite of calls to action to rid the card processing industry of fraud, there is not much evidence that anything other than rhetoric came from the attack, so we can fully expect to see another Heartland in 2010.
Posted in Endpoint Security
