Saturday, January 24, 2009

More on Heartland Data Breach

According to Evan Schuman of StorefrontBacktalk, the Secret Service has identified a suspect in the Heartland data breach case whose location is "somewhere outside North America" and that the matter has been turned over to the U.S. Justice Department, according to someone close to the investigation.

Heartland first learned of the breach in late October/early November, according to Heartland spokesman Jason Maloni, and that the niffer application had already been deactivated, presumably by the cyber thieves who had planted it. Whether it had been fully terminated or merely dormant, programmed to awaken at some future point, is not yet known. It is possible the thieves shut off the sniffer to make it more difficult for investigators to discover their location.

Maloni also confirmed that Heartland had been certified as PCI compliant in April 2008.

Heartland’s CEO, Robert O. Carr, issued a statement Friday, reports Schuman, that his company is faring well despite the announcement of the breach. Heartland has "added more than 400 merchants to its client base in the past few days, exceeding results for the same period from last year," Carr said. "Despite the headwinds of the economy and attacks by some of our competitors, we have installed new merchants, new payroll clients and new check management clients since our disclosure of the breach on Tuesday morning." These new clients were presumably already signed up before the disclosure.

Carr also more openness regarding cyber assaults. "I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks," Carr said. "Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

Does this mean that there are significant numbers of other data breaches that have thus far gone unreported?

No comments:

Web Analytics