How One 'No Name' Musician Used Free Music To Build A Following
FCC Again Wants Details From Comcast On Its Traffic-Shaping Efforts

May Have A New Winner In The Largest Security Breach Ever Department

Scams

from the and-it-will-get-larger,-I'm-sure dept

Tue, Jan 20th 2009 5:01pmMike Masnick
In the past, we've joked about how with pretty much every security breach, there's an initial estimate of the damage done, followed much later by a second report that admits the breach impacted many more people. It happened with the VA. It happened with Choicepoint. And, it happened with TJX, who raised the bar on being the worst security breach ever not once, but twice to impact nearly 94 million people. Who could top that?

Step up to bat, Heartland Payment Systems. Chris writes in to point out that Heartland appears to have picked a pretty good day to announce a security breach that may impact over 100 million people. Everyone's off paying attention to the inauguration, so they might miss the news as it comes out today -- but they're likely to hear about it soon enough. It appears that Heartland's own computers were infected with malware which passed on information about transactions to some scammers.

Heartland is now claiming that this really isn't that big a deal, because personal information wasn't included in the breach -- meaning the data was useful for creating new cards with bogus data, but not useful for "card not present" transactions such as internet transactions or creating fake cards of real people. Because of this, Heartland doesn't think that it should need to offer credit monitoring services to impacted users, which has become the somewhat standard penance for those caught leaking credit card info.

Of course, some are already questioning the timing of announcing the breach. Considering they figured out what happened a week ago, it does seem a bit of interesting timing to wait until the inauguration was underway to disclose this information.

Still, given the history of so many earlier breaches turning out to be much worse later on, what's the over-under on the next announcement about how much worse this breach actually was?

Filed Under: credit cards, security breach
Companies: heartland payment systems

15 Comments | Leave a Comment

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    debbie, 20 Jan 2009 @ 5:35pm

    Contest?

    I'm starting to think there's some kind of prize on the line. It sure looks like organizations that collect personal information are engaged in a race to the bottom.

    reply to this | link to this | view in chronology ]

    • identicon
      Another Anonymous Coward, 20 Jan 2009 @ 6:22pm

      Re: Contest?

      I worked as a sr. manager and exec. at a place that had a couple major intrusions. The big problem is that the top end business guys see security as a soft cost and they prefer to the dice rather than spend the money on security and proper processes. It's the ISO's who get canned as the scapegoats anyway.

      Only when the business guys will feel the pain (i.e., serious bottom line or personal liability), will this get any better. Lawsuits are not putting enough pressure on companies to do better, given the difficulty in proving that someone's fraud is related to a particular intrusion.

      Right now our only safety is in numbers.

      reply to this | link to this | view in chronology ]

      • identicon
        Another Anonymous Coward, 20 Jan 2009 @ 6:23pm

        Re: Re: Contest?

        I worked as a sr. manager and exec. at a place that had a couple major intrusions. The big problem is that the top end business guys see security as a soft cost and they prefer to roll the dice rather than spend the money on security and proper processes. It's the ISO's who get canned as the scapegoats anyway.

        Only when the business guys will feel the pain (i.e., serious bottom line or personal liability), will this get any better. Lawsuits are not putting enough pressure on companies to do better, given the difficulty in proving that someone's fraud is related to a particular intrusion.

        Right now our only safety is in numbers.

        reply to this | link to this | view in chronology ]

  • identicon
    brwyatt, 20 Jan 2009 @ 5:50pm

    No one ever thinks....

    This only happens because no one thinks that it can/will happen to them. Everyone feels that only the basics are enough.

    Heck, my bank password is my least secure password because the force you to use the minimum. Your password must be no longer than 8 characters, and must include both letters and numbers. When most of my passwords are >20 characters, I ask you: would you rather hack my online banking? or my email account?

    Legal requirements are NOT enough. These companies should be forcing AT LEAST >12 characters, heck, >20. TrueCrypt will let you use

    reply to this | link to this | view in chronology ]

    • identicon
      NotBob, 20 Jan 2009 @ 6:21pm

      Re: No one ever thinks....

      That's kind of interesting. I bank at a local bank, not one of the big ones. I was going to say one of the big five but are there even five? But I digress... Not only do I have to have my password, I have to answer a self-chosen security question, and I have to have a pass phrase and a graphic that match what I set up. Sadly, all that security gets annoying, even when I know it's for my personal benefit.

      reply to this | link to this | view in chronology ]

      • identicon
        nasch, 21 Jan 2009 @ 1:34pm

        Re: Re: No one ever thinks....

        That would described as "Wish-It-Was-Two-Factor Authentication", right? Rather than something you know + something you have, they went with something you know + something you know + something you know + something you know.

        reply to this | link to this | view in chronology ]

  • identicon
    Matt T, 20 Jan 2009 @ 6:07pm

    Figured out what happened a week ago...

    What happened last week?

    reply to this | link to this | view in chronology ]

  • identicon
    Enough already, 20 Jan 2009 @ 6:40pm

    Oh - It's ok, they didn't defraud me

    Well, no - it's not ok. We all pay indirectly for the incompetence and grandiose attitudes exhibited by these poor excuses for business.

    The consequences for their actions, or lack thereof, needs to be commensurate with the damage caused.

    Until such time, the problem will only get worse.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Jan 2009 @ 7:14pm

    largest security breach ever winner: george w bush

    reply to this | link to this | view in chronology ]

  • identicon
    IntoTheForge, 20 Jan 2009 @ 7:23pm

    Wootz

    to TrueCrypt. I'm glad all my money not secured on my property is invested in community owned and run banks. Makes it hard to buy stuff on newegg, but tis worth it.

    reply to this | link to this | view in chronology ]

  • identicon
    Zaphod, 20 Jan 2009 @ 9:06pm

    Hmm, so having the number on the card in your hand lets you use it?

    Normally, I don't go for religious diatribe, but...

    What if the mark of the beast is holding the credit card in your hand? As the article states: "but not useful for "card not present" transactions such as internet transactions"

    Now reread Revelation 13:17-18...

    "And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name. Here is wisdom. Let him that hath understanding count the number of the beast: for it is the number of a man; and his number is Six hundred threescore and six."

    Spooky familiar no?

    P.S. Nope, normally I wouldn't bring up religion here, and haven't, but this just kinda jumped out at me.

    reply to this | link to this | view in chronology ]

  • identicon
    Eadwacer, 21 Jan 2009 @ 3:21am

    It's Not Over Yet

    What's really scary is that, traditionally, the initial announcements of data loss understate the seriousness of the problem. Look how the size of the TJX loss grew over the course of a few months.

    reply to this | link to this | view in chronology ]

  • identicon
    marquisem, 21 Jan 2009 @ 9:13am

    it's very simple

    Real life is not Law and Order, CSI or the Mentalist. Forensics, including data forensics, take time. When a company realizes they have a breach, they don't instantly (or even in an hour) know the full extent. As they do more in-depth research, they get the full picture. You can get quick information or you can get accurate information.

    For that matter incident management, building a PR effort and putting resources in place to manage the questions from media and consumers also aren't instant activities.

    And no, I don't work for TJX, Choicepoint or Heartland.

    reply to this | link to this | view in chronology ]

  • identicon
    Mich, 21 Jan 2009 @ 9:31am

    Jail??

    I guess stupidity is still a viable defense. When will we see folks go to jail for their breach of fiduciary responsibility? Not even Bernie is in jail ...

    reply to this | link to this | view in chronology ]

  • identicon
    dania, 21 Jan 2009 @ 4:52pm

    mike...

    you're a boob! a week is no time at all for a large company to finalize talks with the Secret Service then release news to the public!

    GROW UP!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

How One 'No Name' Musician Used Free Music To Build A Following
FCC Again Wants Details From Comcast On Its Traffic-Shaping Efforts
Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories

Monday

19:36 THE Ohio State University Applies For THE Stupidest Trademark In THE World (1)
15:36 Twitter And Facebook Removing Chinese Disinfo Campaigns Shows That, Contrary To Popular Opinion, They Do Moderate Against Disinfo (8)
13:36 Moviepass Changed User Passwords So They Couldn't Use The Flopping Service (13)
12:00 NC Appeals Court Withdraws Its Horrendous, Free Speech-Damaging Opinion On Retaliatory Arrests (12)
10:44 Beto O'Rourke Joins The Silly Parade Of Confused Politicians Looking To Destroy Section 230 (57)
10:39 Daily Deal: Google Analytics Training (0)
09:19 Latest 'Google Whistleblower' To Prove Anti-Conservative Bias Doesn't Prove Anything And Appears To Be Bigoted Conspiracy Theorist (57)
06:22 As The NSA Declares Phone Record Program Dead, Trump Administration Asks For A Permanent Reauthorization (14)

Sunday

12:00 Funniest/Most Insightful Comments Of The Week At Techdirt (8)

Saturday

12:00 This Week In Techdirt History: August 11th - 17th (0)
More arrow
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.