YACCB

[unixronin]

That's "Yet Another Credit Card Breach".  Princeton, NJ payment processor Heartland Payment Services suspected three months ago that they'd been compromised, and called in outside forensic investigators in December after internal auditors failed to find a smoking gun, but didn't see fit to tell anyone until now.  Heartland says "tens of millions" of Visa and Mastercard credit and debit cards may have been compromised.  Other sources say the number may be over 100 million; Heartland claims to process a hundred million credit card transactions per month.

[Heartland President and CFO Robert] Baldwin said 40 percent of transactions the company processes are from small to mid-sized restaurants across the country.  He declined to name any well-known establishments or retail clients that may have been affected by the breach.  Baldwin said it would be unfair to mention any one of his company's customers.

Baldwin may decline to identify them, but if 40% come from "small to midsize restaurants" and "no single customer accounts for more than a tenth of a percent" of their transactions, I'll bet you most or all of the other 60% come from small retail merchants and other small businesses.

Like the Hannafords breach, this one involves a sniffer "of a previously undiscovered variety" planted on Heartland's payment processing network.  Heartland doesn't know how it got there or how long it's been there.  The Secret Service is investigating, and reportedly believes the breach to be associated with a cybercrime gang under ongoing investigation and believed to be responsible for "a significant number of breaches of financial institutions".

Avivah Litan, a fraud analyst with Gartner Inc., questioned the timing of Heartland's disclosure -- a day in which many Americans and news outlets are glued to coverage of Barack Obama's inauguration as the nation's 44th president.

"This looks like the biggest breach ever disclosed, and they're doing it on inauguration day?" Litan said.  "I can't believe they waited until today to disclose.  That seems very deceptive."

But Baldwin says they got the information out on "the first possible day that they could" once they actually confirmed the breach.

(Pointer credit to mazianni)

Comments

[guppiecat]

As someone who works with the PCI-DSS and related regs, I can state that Heartland seems to have not only done what they were REQUIRED to do, but that they also did what the laws ENCOURAGED them to do.

The way these things are written, it is in a company's best interest to notify others when there is a breach as soon as possible, but it is also in their best interest to delay such notification until they know that there was a breach and which card numbers were impacted.

This may not be the end result that we all want, but they are playing by the rules, and I have to support them on that. The three month time frame is unsurprising.

[unixronin.livejournal.com]

Yeah, it sounds like once they smelled a rat they went after it pretty persistently, but just didn't blow the whistle until they were certain.