Monthly Archives: January, 2009

Another Heartland Payment Systems Update

As we know it today, HPS has affected banks nationwide. Many are reissuing cards, many are not. It would seem that most banks are opting to take faith in their fraud detection technology, citing in most cases that the cost to reissue would likely exceed the costs of dealing with fraudulent charges case-by-case.

The ethics of not reissuing cards is debatable. It, in many ways, puts the responsibility of reporting fraud on the shoulders of the card holders. At the same time, one can argue that banks should not be the ones forced to bear the cost burden of this breach. We’ve read estimates anywhere from $7 to $20 per card as being the cost of replacement. Given that, we can see the reluctance of banks, though we certainly don’t endorse the practice. Chances are, the banks will seek to recoup the costs in the courts.

We’ve compiled a list of banks and card issuing institutions that we’ve found, via scouring news articles, that have been reported to be affected, with a list of the number of cards reissued when the number was disclosed. Heartland won’t tell us, so we’re trying to get an idea on our own. You can view the list here:

The list, as of the time of this writing, consists of nearly 50 organizations affected, and over 200,000 records. This is likely only the very beginning, and we may or may not keep up with it, depending on how large it mushrooms.

Meanwhile, Heartland Payment Systems is now being sued, class action style. And Robert O. Carr, Heartland Chairman and CEO is under suspicion of insider trading, per the linked article (which is fantastic, read it).

Heartland continues to claim it doesn’t know how many cards are affected. This seems completely improbable. Someone knows, be it Visa, Mastercard, or Heartland, someone must know. It would appear that Visa and Mastercard are the organizations doing most of the “talking” with the card issuers, giving them lists of cards, etc. Yet, still no total. Someone knows the total, or has a rough idea.

Poted by d2d not emailing users regarding breach

According to this slashdot post, does not plan on notifying users regarding its recent account security breach.

Granted, they’ve listed a fairly prominent Security Notice on their home page, but it seems a little irresponsible to not email their clients, or automatically force a password change for these accounts. I suspect most institutions would do that by default in the event of a compromise.

Last time was breached (in 2007), they supposedly snail mailed millions of users warning them, worried that users wouldn’t trust email as a result of the breach. Perhaps they’ll snail mail again?

Posted by d2d.

The Blotter, Heartland, and Donations

According to a article, a suspect has been pinpointed in the Heartland breach, and the suspect is international. Also, banks around the country are in the process of notifying their customers. Some Attorney General’s Offices are also inquiring about the incident.

We are waiting a little bit for the dust to settle, and then we intend to send out FOIA equivalent requests to receive Primary Sources for the Archive. Once we know more about the total breadth and scope of this, we’ll be sure to share. But in the meantime, introducing…

The Blotter, a new resource we’re pushing news on identity theft to. Many “breaches” or breach-like incidents cross our desks every day, many don’t quite qualify for inclusion into our database as “Incidents”, such as the recent breach that may have exposed information about millions, but does not appear to qualify as a trigger under most breach notification laws — the data simply isn’t what most laws consider “sensitive” enough. We’ll be updating this very regularly.

Lastly, we have several pending Freedom of Information requests that we’re waiting on, and several more to make, but these things are expensive! Please donate using the buttons below to help us fund this endeavor.


Posted by d2d.

Breach Notification to 700 New Hampshire Restaurants

Per WMUR9 New Hampshire, Heartland is encouraging the New Hampshire Lodging & Restaurant Association to notify 700 restaurants regarding the breach.

The New Hampshire Lodging and Restaurant Association is one of 12 Affiliate organizations listed on the heartland payment systems website. The others are:

These are not the only states affected, but it would seem likely that these states will be affected.

Posted by d2d

Heartland Payment Systems Breach Update

As many can tell by now, the breach has snowballed significantly, finding its way into hundreds of news articles, mostly containing the same information with slightly different wording. What follows is a time line as experienced by OSF, Data Loss DB, and our volunteers.

About a week ago, we heard “whispers”, what we call tips from folks who wish to remain anonymous, that something large had occurred with First Data. We did some degree of research, but came up with nothing, and moved on to our other duties.

Monday of this week, we discovered through our feeds this article mentioning First Data. Red flags a plenty came up, as its rare that a “whisper” goes much beyond a “whisper”. We immediately got in contact with those who wrote the article, and they indicated that they could get little information from First Data regarding the situation. We then began searching for data on other banks to see what we could find, and we came up with at least 5 other small banks posting notices regarding credit/debit cards. We wrote a brief post about what we thought we were seeing, and updated it as things changed.

We knew we had stumbled onto something large, but we thought it was involving First Data. The verdict is still out on whether Forcht Bank had anything to do with Heartland, as there are very conflicting reports about this, but our assumption for the time being is that it is the same breach.

We sounded alarms, and contacted several reporters and bloggers that we had worked with in the past. One or two articles later, the cat was out of the bag, and Heartlandissued a public statement regarding their breach. From there, other media outlets fed on the news, and here we are.

At this time, banks around the country are being notified, and are issuing new cards to their customers. We still have no total number affected, but there has been speculation of 100 million cards. Some are speculating that the total may end up being larger. If it is that high or higher, it would be the largest data loss incident ever reported. It is being reported that fraud is being attributed to this breach.

There are still significant questions that are unanswered, such as: How many people were affected, are we seeing more than one breach, and how exactly did this happen?. We know it has been attributed to malicious software or something of that nature, but the “how” question is more along the lines of, how did PCI-DSS required controls not stop this from happening?

Posted by d2d

Heartland Payment Systems Breach 100,000,000?

The Washington Post is reporting that the Heartland Payment Systems breach could top 100 million credit cards, though we haven’t heard anything official yet as to a grand total.

Over the past few days we’ve been hearing noises about a potentially large breach affecting banks across the country, and this morning Heartland announced their breach. There are still questions as to whether or not all the noise we’ve been hearing is directly related to this breach, but to be sure a good chunk of it must be.

It would appear per the onslaught of articles being posted about the breach (see the references section of the breach) that this was some sort of malware induced incident at the payment processor, which happens to be one of the largest in the country. Many are poking fun at the timing of this announcement.

We will set a total on the breach once the dust settles a little, and more information is released. As we learned from previous breaches, the total can and does fluctuate immediately following disclosure, as more information becomes available.

Posted by d2d.

But…Who is it really?

Update: This is looking like it isn’t a breach at a retailer, but a breach at a card processor. This is till unfolding, and could be unrelated to this, but it is increasingly looking like Heartland Payment Systems is the source. If anyone has evidence of any kind linking the Heartland breach to the these banks, drop us an email.

A recent article suggests that a major retailer has had a significant breach, affecting thousands of card holders. The breach apparently involves a merchant of First Data Corporation, the organization that runs the STAR debit/ATM network. It may also be affecting customers of banks around the country.

The question is, who is this major retailer? We’re hearing rumblings that this is a significant breach. Unfortunately, those covering it thus far haven’t quite dug up that information.

This isn’t the first time we’ve heard of a retailer having a problem, only to never find out the retailer’s name, but this one seems more significant than those before. We heard similar rumblings before the Hannaford incident.

Update: This article may be related?

What would a card processor gain by protecting the identity of an offending merchant? Several theories have been put forth. In a bad economy, it could be their desire not to negatively affect an already beaten down consumer confidence. Or perhaps it could be to protect the retailer, again given the economy. Or perhaps there is more to it, perhaps the retailer in question were PCI compliant, and disclosure of the retailer would bring about additional criticism for PCI’s Data Security Standard.

And what of breach notification laws? Does forcing the banks (who know little to no details) to send out notifications, in place of the offending merchant, comply with the laws? Or does it circumvent the spirit of them? Are data breach notification laws in existence just to notify consumers of fraud, or are they also meant to help consumers make safer choices with who they do business with?

Hopefully someone will shed a little light on this situation in the near future.

Posted by d2d

The Curious Case of Express Scripts

The recent Express Scripts breach is a fascinating one. It would appear to involve an extortion letter sent first to Express Scripts detailing the personal information of several customers’ customers. It then evolved to include extortion letters to Express Scripts customer-organizations likeToyota, and supposedly others:

“Subsequently, Express Scripts has become aware that a small number of its clients recently received letters threatening to expose the personal information of its members.”, per the web site setup to provide information about the incident.

In truth, the website appears to provide little information at all, and given that Express Scripts provides services to some 50 Million people, this breach could soon find its way on our top ten list.

Posted by d2d