Comments on: Just how big was the Heartland security breach?

By: Daren

Daren — Wed, 11 Feb 2009 22:45:47 +0000

I think there is an error in part of your logic. Heartland processes credit card authorization transactions, not just credit card “numbers” per se. The “600 million” number you mention represents transactions, not unique credit card numbers. (As in Heartland did not process 600 million unique credit card numbers)
Heartland processes credit card payments for 250k merchants (“restaraunts & small businesses”). Since they are processing transactions, the 600MM may include repeat transactions from the same card. It may be impossible to say how many UNIQUE credit card numbers were compromised. I could go to a restaurant serviced by Heartland and have my card compromised there, go to the gas station serviced by heartland, have my card compromised there, gone to the flower store serviced by Heartland to by flowers for my wife and had my card compromised there. Heartland processed 3 transactions but only 1 credit card number was compromised. Hopefully this explains how there is a difference between compromised TRANSACTIONS and a compromised database of CREDIT CARD NUMBERS with authorization data.
Therefore using 600 million credit card numbers as a basis for your statistics is not the right method. Doing so would assume that every cardholder in the USA visited one of the 250K merchants and had their card compromised.
Instead, you should consider comparing the probability of your card being exposed to Heartland through their merchants by finding out how many merchants there are in the US and the percentage of those who process through Heartland. This may be geographic concerns as well, if Heartland is mostly east coast or west coast customers.
I agree with you that Heartland cannot say that only 100MM transactions may have been exposed when they don’t have proof that the earlier transactions were not exposed. The length of time the information was exposed could have added up to 600MM transactions based on what I’ve read elseware.
Also, on a side note, anyone can figure out credit card “numbers”. There is an algorithm you can use to calculate valid credit card numbers. However, without the authorization information (customer name, expire date, zip code, phone, CVV2, etc) the credit card number by itself is useless. That is why a credit card authorization company server would be a pot of gold for a hacker.
I used to work in IT at a bank that consolidated credit card payments and delt with these issues in great detail. I showed the credit department what the next 10 credit card numbers were going to be issued by using the algorithm that checks to see if a card is a valid card number.

By: carl signorelli

carl signorelli — Sun, 01 Feb 2009 14:06:43 +0000

I do agree with you that this is bad for one and all but…HPS published a MBOR, they shouted to all merchants how great they were, everyone else is the middleman, no one is better and there reps continue to all drink from the fountain of Bob Carr. Yes this could have happend to any of us but it didn’t. It happened to HPS who has now violated rule #7 of the MBOR. So when you have many people that rejoice at their current problems, can you blame them?

By: John Franks

John Franks — Wed, 28 Jan 2009 20:00:23 +0000

Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture – absent a new eCulture, breaches will, and continue to, increase. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium.” It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html –
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome.

By: Brian Peck

Brian Peck — Wed, 28 Jan 2009 16:17:25 +0000

We were in strong competeting with Heartland on a deal. They were leaning to Heartland as the “more well known” company. Your timely article helped seal the deal our way with First Data. Thanks so much.
An a side note, I wonder if there are any additional ticking timebombs in the other processors… if they can breach someonethat big???
Lastly, Are there any indicatations of a fraud spike that would correlate to the breach. Having access to info and effectively using it are 2 seperate things.