A Game Of Numbers

Some experts say this latest security attack within a large enterprise payment processing company represents the "tip of the iceberg," indicating a strong possibility of more undetected attacks on slightly smaller companies with vulnerable networks.

"[Hackers] are going midsize to larger size right now. Obviously the small retailers and Web sites aren't secure at all. But most of the midsize and large corporations are also not secure," said Mandeep Khera, chief marketing officer for application security and risk management consulting company Cenzic, based in Santa Clara, Calif. There likely won't be many large-scale attacks like the Heartland breach simply because of the size and scope, Khera said. "It obviously takes more planning. At the same time, you'll see a few large ones but hundreds of other midsize data breaches. That's the weakest link," he added.

Most of the time customers, especially SMBs, aren't aware that they're being hacked, Khera said, prompting him to advise customers to secure their Web applications. He said his customers often respond that they're not being attacked.

"My bounce back is, 'How do you know?'" Khera said. "I suspect there are a lot of sites being hacked that millions of people don't know about, and we're still shocked at how many sites are vulnerable out there." Company executives at Heartland, Princeton, N.J., said they first learned of the actual security breach in October 2008, when credit card companies Visa and MasterCard alerted them to suspicious activity occurring in credit card transactions.

Heartland issued a press release officially announcing the breach on Tuesday, Jan. 20, the day of Barack Obama's presidential inauguration. Heartland President and CFO Robert Baldwin Jr. said in the written statement that the company "immediately notified federal law enforcement officials as well as the card brands" upon learning of the breach. Baldwin said that Heartland was "cooperating closely" with officials from the U.S. Secret Service and Department of Justice, who assisted in the investigation, along with several forensic auditors enlisted by the company.

Baldwin said the breach might have been the result of a widespread global cyberfraud operation after the investigation revealed that malicious information-stealing software might have exposed copious amounts of data in Heartland's network.

"Most of these companies don't even know they're being hacked," Cenzic's Khera said. "They would never have caught this problem if Visa and MasterCard didn't notice something fishy on the transactions."

Following the investigation, Heartland executives said that they took additional, mitigating steps to secure its systems, including a plan to implement a next-generation program to alert users of malicious threats attacking the network in realtime.

"It's not about preventing [security breaches] per se, but detecting them as quickly as possible," said Eric Skinner, CTO of Addison, Texas-based Entrust, which specializes in digital certification and data protection. Skinner said the incident could be representative of the corporate insider threat, in which an individual exploits access to a company's network or data systems.

While federal regulatory compliance mandates, such as PCI DSS, take into account external threats, Skinner said it's only a matter of time before credit card companies step up their requirements to protect businesses from internal threats. As a result, he said that corporations will likely start to adopt data loss prevention technologies that encrypt internal communications within the network.

"What you're seeing here is the weakest link in the chain. Heartland locked down their external communications very well and someone went after them on the inside," said Skinner. "We just have to keep on learning from these incidents and react accordingly."