"Biggest Breach Ever," Now What?

Heartland Payment Systems may now hold the dubious distinction of “largest security breach ever” in the wake of a hack that may have been sniffing card numbers, expiration dates and track data off the processor's network from as early as May until last month.  The number of cards compromised is still a matter of conjecture—the biggest guesstimate has been about 100 million, but Heartland CEO Robert Carr is scolding those who jump to that concusion.

Beyond the hyperbole is the alarming truth that, yet again, the compromise took place on the target's internal system, just as it did in the TJX, Hannaford, and CardsSystems cases.  And again, it wasn't discovered by the processors, but rather detected by Mastercard and Visa when they sniffed out fradulent transactions. Michael Santarcangelo in Computerworld keys in on this, noting, “The breach disclosure from Heartland provides more evidence that breaches are symptoms; focus must be placed on understanding and addressing root causes.”

The Heartland Breach, like others before it,  raises serious questions about exactly what PCI Compliance stands for, and how much stock banks and consumers should place in it; Heartland admits as much in an interview with Digital Transaction News. 

Maybe it's time to admit that PCI standards won't ever fully protect data, and new tactics are needed. CEO Robert Carr is calling for industry cooperation and transparency in discosing details of the attack, with the aim of preventing other companies from falling victim to the same malicious exploit.

It seems he’s barking up the right tree.  Henry Helgeson, president and co-CEO of Merchant Warehouse Inc., a Boston-based provider of payment card processing services and software, told Computerworld, "Everybody who processes card information is dying to know how exactly this happened."

Carr nearly approaches "passing the buck" the buck on this one with his other statement, "I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week."

But credit where it's due. Carr is hoping to effect industry change in the coming months. "Just as the Tylenol crisis engendered a whole new packaging standards, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data—and therefore businesses and consumers—much more effectively," he says.

His idea is a good one, it's also expedient. CardSystems went out of business after its massive breach. It's probably fair to say that Carr's other aspiration is to get in front of this one enough that it allows Heartland's transactions to keep flowing.