Federal Authorities Prosecuting Suspects of Heartland and Hannaford Breaches
US Department of Justice reports that federal authorities are prosecuting three suspects for stealing 130 million credit card numbers from Heartland Payment systems, 7-eleven stores, and Hannaford stores. We previously reported on the Heartland Payment Systems Breach and the Hannaford Stores Breach.
The indictment details how Albert Gonzalez and his co-conspirators allegedly “used sophisticated hacker techniques [SQL injection attacks] to gain access to the networks to cover their tracks and to avoid detection by anti-virus software used by their victims.” The suspects allegedly scouted the stores of the corporate victims and their websites for vulnerabilities. Allegedly, in order to cover their tracks, the suspects “program[ed] malware to be placed on the Corporate Victims’ computer networks to evade detection by anti-virus software and then testing the malware against approximately 20 different antivirus programs.”
The breach cost Heartland not just million of dollars but also temporary loss of its PCI certification. Soon after the Heartland Payment systems breach, Heartland lost its PCI certification as reported by VISA CISP. Since then, Heartland has regained its PCI but also disclosed in its 10-Q filing with the Securities and Exchange Commission that it faced $32 million in expenses due to the breach. $22 million of those charges related to fines imposed by card brands and settlement offers, while the remaining amounts were spent on “legal fees and costs the Company incurred for investigations, remedial actions, and crisis management services.”
Shortly after the Heartland breach, in July 2009, PCI Security Standards Council issued the Wireless Guideline, which makes specific recommendation related to the deployment of wireless networks. The recommendations are sometimes as detailed as setting up firewalls, accounting for wireless access points, changing default passwords and settings on wireless devices, and using strong wireless authentication and encryption. On the other hand, despite outlining the weaknesses in WEP, PCI DSS v1.2 only requires discontinuing WEP as of June 30, 2010. Unfortunately, use of WPA or WPA2 only remains a recommendation.
In our previous review of the breaches, we had suggested that “due to the fast evolution of malware, a vulnerability is likely to develop within any system at some point.” Considering that the suspects used custom written malware that was tested to avoid detection by anti-virus software, Heartland could have only protected itself from the attack by preventing the SQL injections in the first place. While complete security remains a difficult objective to attain, we still believe that a vigorous and comprehensive approach to data security is possibly the only defense against such breaches.