May Have A New Winner In The Largest Security Breach Ever Department
from the and-it-will-get-larger,-I'm-sure dept
In the past, we've joked about how with pretty much every security breach, there's an initial estimate of the damage done, followed much later by a second report that admits the breach impacted many more people. It happened with the VA. It happened with Choicepoint. And, it happened with TJX, who raised the bar on being the worst security breach ever not once, but twice to impact nearly 94 million people. Who could top that?
Step up to bat, Heartland Payment Systems. Chris writes in to point out that Heartland appears to have picked a pretty good day to announce a security breach that may impact over 100 million people. Everyone's off paying attention to the inauguration, so they might miss the news as it comes out today -- but they're likely to hear about it soon enough. It appears that Heartland's own computers were infected with malware which passed on information about transactions to some scammers.
Heartland is now claiming that this really isn't that big a deal, because personal information wasn't included in the breach -- meaning the data was useful for creating new cards with bogus data, but not useful for "card not present" transactions such as internet transactions or creating fake cards of real people. Because of this, Heartland doesn't think that it should need to offer credit monitoring services to impacted users, which has become the somewhat standard penance for those caught leaking credit card info.
Of course, some are already questioning the timing of announcing the breach. Considering they figured out what happened a week ago, it does seem a bit of interesting timing to wait until the inauguration was underway to disclose this information.
Still, given the history of so many earlier breaches turning out to be much worse later on, what's the over-under on the next announcement about how much worse this breach actually was?
Step up to bat, Heartland Payment Systems. Chris writes in to point out that Heartland appears to have picked a pretty good day to announce a security breach that may impact over 100 million people. Everyone's off paying attention to the inauguration, so they might miss the news as it comes out today -- but they're likely to hear about it soon enough. It appears that Heartland's own computers were infected with malware which passed on information about transactions to some scammers.
Heartland is now claiming that this really isn't that big a deal, because personal information wasn't included in the breach -- meaning the data was useful for creating new cards with bogus data, but not useful for "card not present" transactions such as internet transactions or creating fake cards of real people. Because of this, Heartland doesn't think that it should need to offer credit monitoring services to impacted users, which has become the somewhat standard penance for those caught leaking credit card info.
Of course, some are already questioning the timing of announcing the breach. Considering they figured out what happened a week ago, it does seem a bit of interesting timing to wait until the inauguration was underway to disclose this information.
Still, given the history of so many earlier breaches turning out to be much worse later on, what's the over-under on the next announcement about how much worse this breach actually was?
Reader Comments
Subscribe: RSS
View by: Time | Thread
Contest?
[ reply to this | link to this | view in chronology ]
Re: Contest?
Only when the business guys will feel the pain (i.e., serious bottom line or personal liability), will this get any better. Lawsuits are not putting enough pressure on companies to do better, given the difficulty in proving that someone's fraud is related to a particular intrusion.
Right now our only safety is in numbers.
[ reply to this | link to this | view in chronology ]
Re: Re: Contest?
Only when the business guys will feel the pain (i.e., serious bottom line or personal liability), will this get any better. Lawsuits are not putting enough pressure on companies to do better, given the difficulty in proving that someone's fraud is related to a particular intrusion.
Right now our only safety is in numbers.
[ reply to this | link to this | view in chronology ]
No one ever thinks....
Heck, my bank password is my least secure password because the force you to use the minimum. Your password must be no longer than 8 characters, and must include both letters and numbers. When most of my passwords are >20 characters, I ask you: would you rather hack my online banking? or my email account?
Legal requirements are NOT enough. These companies should be forcing AT LEAST >12 characters, heck, >20. TrueCrypt will let you use
[ reply to this | link to this | view in chronology ]
Re: No one ever thinks....
[ reply to this | link to this | view in chronology ]
Re: Re: No one ever thinks....
[ reply to this | link to this | view in chronology ]
Figured out what happened a week ago...
[ reply to this | link to this | view in chronology ]
Oh - It's ok, they didn't defraud me
The consequences for their actions, or lack thereof, needs to be commensurate with the damage caused.
Until such time, the problem will only get worse.
[ reply to this | link to this | view in chronology ]
[ reply to this | link to this | view in chronology ]
Wootz
[ reply to this | link to this | view in chronology ]
Hmm, so having the number on the card in your hand lets you use it?
What if the mark of the beast is holding the credit card in your hand? As the article states: "but not useful for "card not present" transactions such as internet transactions"
Now reread Revelation 13:17-18...
"And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name. Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six."
Spooky familiar no?
P.S. Nope, normally I wouldn't bring up religion here, and haven't, but this just kinda jumped out at me.
[ reply to this | link to this | view in chronology ]
It's Not Over Yet
[ reply to this | link to this | view in chronology ]
it's very simple
For that matter incident management, building a PR effort and putting resources in place to manage the questions from media and consumers also aren't instant activities.
And no, I don't work for TJX, Choicepoint or Heartland.
[ reply to this | link to this | view in chronology ]
Jail??
[ reply to this | link to this | view in chronology ]
mike...
GROW UP!
[ reply to this | link to this | view in chronology ]
Add Your Comment