Sweet merciful crap. Brian Krebs has a story today about a breach at the payment processor, Heartland Payment Systems, which happened last year. That in of itself would be bad but,
…it gets worse.
From Washington Post:
Heartland called U.S. Secret Service and hired two breach forensics teams to investigate. But Baldwin said it wasn’t until last week that investigators uncovered the source of the breach: A piece of malicious software planted on the company’s payment processing network that recorded payment card data as it was being sent for processing to Heartland by thousands of the company’s retail clients.
Baldwin said Heartland does not know how long the malicious software was in place, or how many accounts may have been compromised. The stolen data includes names, credit and debit card numbers and expiration dates.
“The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed.”
So, there may be 100 million card numbers in the wind and for some time now. The fit will really hit the shan.
Read on.
UPDATE: A bloody excellent point! Rich Mogull touches on the aspect that it appears that Heartland naively attempted to hide the breach behind today’s inauguration.
UPDATE 2: So the question that is on peoples lips is was Heartland compliant? Well, sadly yes according to their assessor in 2007 for the MasterCard SDP Program (Site Data Protection), Trustwave (reference: link cred: Marcin via the Securois posting comment section), they were.
Compliance is a good thing to have but, for fsck sakes don’t stop there. It’s the bare minimum. If you are in compliance with the laws of the land in your respective part of the world that merely means that you are doing the minimum. Never forget that.
