In the latest aftershock to a massive data breach that took place in 2008, card payment processor Heartland Payment Systems yesterday announced a settlement agreement with Discover Financial Services in which Heartland will pay Discover $5 million.
The drama began Jan. 20, 2009 (coincidentally, the day of President Obama's inauguration), when Heartland announced that malicious software had compromised its data the year before. Visa and MasterCard had alerted the payment processor of suspicious activity on some of its card transactions. Data exposed through the breach included card numbers, expiration dates, and in some cases, the names of customers who used debit or credit cards at Heartland's network of 250,000 businesses.
In August 2009, the hackers who perpetrated the data breach, American Albert Gonzalez and two Russian accomplices, were indicted in federal district court in New Jersey on charges that they carried out the largest hacking and identity-theft caper in U.S. history. Federal prosecutors said the trio had stolen information about more than 130 million credit and debit cards by hacking into the computer systems of five major companies, including Hannaford supermarkets, 7-Eleven and Heartland Payment Systems. Gonzalez was sentenced to 20 years in prison.
According to a paper from the Federal Reserve Bank of Philadelphia, the method used to compromise Heartland’s data was SQL injection, an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. The hackers found vulnerable code written eight years earlier for a web form and inserted malicious code there, thus gaining access to Heartland’s corporate network. The code vulnerability was not identified through annual internal and external audits of Heartland’s systems or through continuous internal system-monitoring procedures. After compromising Heartland’s corporate network, the intruders spent almost six months and many hours hiding their activities while attempting to access the processing network, bypassing different anti-virus packages used by Heartland. They then installed sniffer software that was able to capture payment card data as it moved within Heartland’s network.
Technology-wise, Heartland responded to the data breach by developing end-to-end encryption to protect card transactions. The payments processor helped design a tamper-resistant security module that fits in a merchant's POS terminal and encrypts PIN numbers as they're entered. The module costs merchants $300 to $500. Data is decrypted only when required by the card brands to enter their authorization networks. (First Data announced a similar system yesterday, and several data security vendors offer similar products.) Heartland's CTO Kris Herrin spoke with Bank Systems & Technology about its security efforts in a 2009 video that can be watched here.
On the legal front, Heartland was hit with numerous lawsuits. In January 2010, the company announced that it would pay up to $60 million to issuers of Visa credit and debit cards for losses they incurred from the 2008 data breach. It later agreed to pay up to $41.1 million to MasterCard issuers that lost money as a result of the data breach, and made a similar settlement with American Express for $3.6 million. The company had set aside $140 million to cover lawsuits from the data break-in. Heartland's CEO said yesterday that the Discover settlement is the final agreement with a card brand related to the data breach. Time will tell whether this is truly the end of the company's legal troubles.