January 27th, 2009 by Jamie Estep
Just how big was the Heartland security breach?
Filed in: Fraud, Industry News, Merchant Accounts | 4 comments
I have been looking over a 2007 Nilson Report, specifically about the number of credit cards being used in the US. I then though, how much of an impact could the heartland security breach have on the US credit card industry as a whole? How big is the US credit card industry?
To start off, it is still unknown how many card numbers were actually stolen in the Heartland Breach. But, it is known that as many as 600 Million card numbers were exposed to malicious software. In terms of security (and logic in general), you can only assume the worst case until you can later prove that the situation is better (There is no innocent until proven guilty when it comes to security). So how many cards is 600 Million?
These are not exact numbers but are close… In 2007, there were about 200 Million card holders in the US. Of these card holders, they owned 321 Million Visa cards, 279 Million MasterCard cards, 52 Million AMEX cards, and 57 Million Discover cards. This makes a total of 709 Million credit cards. Since the account activity averages about 60% across all cards, there are roughly 420 Million active credit cards being used in the US.
Now putting this all together, the number of cards potentially stolen is about 50% more than every single active card of every cardholder in the entire country. Given the size of the breach, it’s unlikely that your card was not compromised if you made a purchase in the US between April and December.
Unfortunately a breach like this will have a negative impact of the entire credit card industry. I’ve heard a lot of “they had it coming” and cheers of joy from other people in my industry, but make no mistake, this is bad for everyone! We have yet to see the real start of what this is going to cost heartland and the credit card industry as a whole. I cannot imagine a scenario where Heartland comes out of this in one piece. They may prove me wrong, but the damage from this looks to be too great for any processor in the world to reasonable handle.
We were in strong competeting with Heartland on a deal. They were leaning to Heartland as the “more well known” company. Your timely article helped seal the deal our way with First Data. Thanks so much.
An a side note, I wonder if there are any additional ticking timebombs in the other processors… if they can breach someonethat big???
Lastly, Are there any indicatations of a fraud spike that would correlate to the breach. Having access to info and effectively using it are 2 seperate things.
Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture – absent a new eCulture, breaches will, and continue to, increase. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium.” It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html –
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome.
I do agree with you that this is bad for one and all but…HPS published a MBOR, they shouted to all merchants how great they were, everyone else is the middleman, no one is better and there reps continue to all drink from the fountain of Bob Carr. Yes this could have happend to any of us but it didn’t. It happened to HPS who has now violated rule #7 of the MBOR. So when you have many people that rejoice at their current problems, can you blame them?
I think there is an error in part of your logic. Heartland processes credit card authorization transactions, not just credit card “numbers” per se. The “600 million” number you mention represents transactions, not unique credit card numbers. (As in Heartland did not process 600 million unique credit card numbers)
Heartland processes credit card payments for 250k merchants (“restaraunts & small businesses”). Since they are processing transactions, the 600MM may include repeat transactions from the same card. It may be impossible to say how many UNIQUE credit card numbers were compromised. I could go to a restaurant serviced by Heartland and have my card compromised there, go to the gas station serviced by heartland, have my card compromised there, gone to the flower store serviced by Heartland to by flowers for my wife and had my card compromised there. Heartland processed 3 transactions but only 1 credit card number was compromised. Hopefully this explains how there is a difference between compromised TRANSACTIONS and a compromised database of CREDIT CARD NUMBERS with authorization data.
Therefore using 600 million credit card numbers as a basis for your statistics is not the right method. Doing so would assume that every cardholder in the USA visited one of the 250K merchants and had their card compromised.
Instead, you should consider comparing the probability of your card being exposed to Heartland through their merchants by finding out how many merchants there are in the US and the percentage of those who process through Heartland. This may be geographic concerns as well, if Heartland is mostly east coast or west coast customers.
I agree with you that Heartland cannot say that only 100MM transactions may have been exposed when they don’t have proof that the earlier transactions were not exposed. The length of time the information was exposed could have added up to 600MM transactions based on what I’ve read elseware.
Also, on a side note, anyone can figure out credit card “numbers”. There is an algorithm you can use to calculate valid credit card numbers. However, without the authorization information (customer name, expire date, zip code, phone, CVV2, etc) the credit card number by itself is useless. That is why a credit card authorization company server would be a pot of gold for a hacker.
I used to work in IT at a bank that consolidated credit card payments and delt with these issues in great detail. I showed the credit department what the next 10 credit card numbers were going to be issued by using the algorithm that checks to see if a card is a valid card number.