Heartland Data Breach Could Leave 100 Million Accounts Exposed

Company executives at Heartland Payment Systems, a credit card processing company based in Princeton, N.J., said that they suspected the attack was launched by embers of an organized international cybercrime ring.

Heartland executives first learned of the security breach in October 2008, when credit card companies Visa and MasterCard alerted them to suspicious activity processing card transactions.

Heartland Payment Systems issued a press release officially announcing the breach on Tuesday, Jan. 20, the day of Barack Obama's Presidential inauguration.

Heartland President and Chief Financial Officer Robert Baldwin Jr. said in the written statement that the company "immediately notified federal law enforcement officials as well as the card brands" upon learning of the breach. Baldwin said that Heartland was "cooperating closely" with officials from the U.S. Secret Service and Department of Justice, who assisted in the investigation, along with several forensic auditors enlisted by the company.

Baldwin said that the security breach might have been the result of a widespread global cyberfraud operation after the investigation revealed last week that malicious information-stealing software might have exposed copious amounts of data in Heartland's network.

While Heartland has not yet disclosed the exact number of compromised accounts, experts estimate that the number could well exceed 100 million, making the incident the largest security breach in history.

"Most of these companies don't even know they're being hacked," said Mandeep Khera, chief marketing officer for application security and risk management consulting company Cenzic, based in Santa Clara, Calif. "They would never have caught this problem if Visa and MasterCard didn't notice something fishy on the transactions."

Following the investigation, Heartland execs said that they took additional, mitigating steps to secure the company's systems, which include a plan to implement a program to alert users of malicious threats attacking the network in realtime.

"It's not about preventing (security breaches) per se, but detecting them as quickly as possible," said Eric Skinner, CTO of Addison, Texas-based Entrust, which specializes in digital certification and data protection.

In addition, Heartland also created a Web site -- 2008breach.com -- dedicated to providing information about the security incident. On its site, Heartland advised users to closely monitor monthly credit card and bank statements, and to immediately report any suspicious activity to appropriate authorities.

Some experts say that this latest security attack represents the "tip of the iceberg," possibly indicating a trend of more undetected attacks on slightly smaller companies with vulnerable networks.

"(Hackers) are going midsize to larger size right now. Obviously the small retailers and Web sites aren't secure at all. But most of the midsize and large corporations are also not secure," said Khera, adding that there likely wouldn't be many large-scale attacks like the Heartland breach simply because of the size and scope of the undertaking.

"It obviously takes more planning. At the same time, you'll see a few large ones but hundreds of other midsize data breaches. That's the weakest link," he said.

Meanwhile, Skinner said the incident could be due to corporate insider threats, in which an individual accesses the company's network or data systems for illegitimate purposes from within the company.

In light of the enormous amount of data lost because of the Heartland breach, Skinner said that corporations will likely start to adopt data loss prevention technologies that encrypt internal communications within the network.

"What you're seeing here is the weakest link in the chain. Heartland locked down their external communications very well and someone went after them on the inside," Skinner said. "We just have to keep on learning from these incidents and react accordingly."