Heartland’s Carr Calls for End-to-End Encryption To Stop Breaches

Nearly one week after news emerged of the big data breach at Princeton, N.J.-based merchant acquirer Heartland Payment Systems Inc., it remains unclear how much damage actually happened and who did it. One report suggests Heartland's breach-related legal liabilities could approach $98 million, an estimate a Heartland spokesperson dismisses as speculative. The spokesperson tells Digital Transactions News on Monday that the so-called “sniffer” program secretly planted on one of Heartland's payment-processing platforms was not being used when investigators found it about two weeks ago. “It was inactive,” the spokesperson says. “I want to be specific to say it was inactive,” he adds, clarifying that the hackers hadn't deliberately disabled or deactivated it. Robert Carr, Heartland's chief executive, meanwhile, issued a statement calling for better industry cooperation and new operational procedures to prevent future data compromises, including industrywide, end-to-end encryption to fully protect cardholder data. Heartland uses encryption, but industry procedures leave data unencrypted during one brief point of the authorization process?a weakness that hackers have learned to exploit. Carr also said Heartland is working on its own system of end-to-end encryption. Heartland last week said it learned late last fall of the malicious software, or malware, that captured unencrypted card numbers during the authorization process. The spokesperson on Monday said Visa Inc. and MasterCard Inc. first alerted Heartland about suspicious activity sometime in late October or early November. Despite bringing in outside experts, it took until this month to actually find the program, which possibly could have been planted as far back as May (Digital Transactions News, Jan. 22). The spokesperson says he doesn't know exactly when it was placed on the platform that processes 100 million transactions monthly from about 175,000 small and mid-sized merchant locations, but says it has now been contained and removed. “Our understanding is it was limited to being active in 2008,” the spokesperson says. “Unfortunately, it was very sophisticated.” Citing unnamed sources, the online newsletter StorefrontBackTalk on Friday afternoon said the U.S. Secret Service “has identified an overseas suspect” in the Heartland breach, but offered no other details other than to say the U.S. Department of Justice is involved and that the suspect is “outside of North America.” Neither the Heartland spokesperson nor a spokesperson for the Secret Service, which is investigating the breach, would confirm that report. “I have nothing on that story,” says the Washington, D.C.-based Secret Service spokesperson. A foreign connection would not be surprising. In announcing the breach Jan. 20, Heartland said in a release, “We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice.” Many of the suspects the DoJ charged in connection with the record payment card breach at retailer TJX Cos. were foreign nationals (Digital Transactions News, Aug. 6, 2008). Besides the missing details about the breach itself, another big unknown is the financial hit Heartland will take. Heartland faces possible lawsuits or bills from credit and debit card issuers for breach-related fraud losses and card reissuance. Some observers have speculated Heartland's breach could be bigger than TJX's, which may have compromised up to 94 million card numbers. Although public reports of actual fraud linked to the Heartland breach have not yet surfaced, local press stories monitored by Digital Transactions News report that many community banks and credit unions are reissuing cards whose numbers were compromised when customers made purchases at Heartland merchants. At least one issuer is reissuing about one-third of its card portfolio. Others are taking a wait-and-see approach, telling cardholders to be alert for possible misuse. The nation's biggest banks?JPMorgan Chase & Co., Citigroup Inc. and Bank of America Inc.?are giving few details about their responses to the breach. In a report issued Sunday, investment bank Goldman Sachs Group Inc. estimated Heartland could face possible litigation costs of almost $98 million. In arriving at the estimate, Goldman Sachs estimated the affected platform's 100 million monthly transactions came from 20.5 million unique cards, resulting in potentially 143.5 million cards compromised from May through November. Applying what it says were 68 cents in losses per card from the TJX breach, Goldman Sachs estimates Heartland's possible liability is $97.7 million. The Heartland spokesperson, however, dismisses that figure. “I think that is speculation,” he says. “We expect there will be some damages, but I think it's very preliminary to put a figure on it.” In its report, Goldman Sachs said its assumptions were subject to change depending on further disclosures. In a news release Friday afternoon, Heartland founder Carr said his company had added more than 400 merchant clients in the preceding few days, more than it did in the same year-earlier period, “despite the headwinds of the economy and attacks by some of our competitors …”. Carr issued a call for payments companies to share more information about the computer-related fraud they experience. “Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again,” Carr said. “I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week.” In Heartland's case, the thieves captured account numbers, expiration dates, and some cardholder names, but not confidential merchant data, Social Security numbers, unencrypted PINs, addresses, or telephone numbers.