From: David Shettler (daveopensecurityfoundation.org)
Date: Wed Jan 21 2009 - 20:57:26 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://datalossdb.org/incident_highlights/14-heartland-payment-systems-breach-update

As many can tell by now, the breach has snowballed significantly,
finding its way into hundreds of news articles, mostly containing the
same information with slightly different wording. What follows is a
time line as experienced by OSF, Data Loss DB, and our volunteers.

About a week ago, we heard "whispers", what we call tips from folks
who wish to remain anonymous, that something large had occurred with
First Data. We did some degree of research, but came up with nothing,
and moved on to our other duties.

Monday of this week, we discovered through our feeds this article
mentioning First Data. Red flags a plenty came up, as its rare that a
"whisper" goes much beyond a "whisper". We immediately got in contact
with those who wrote the article, and they indicated that they could
get little information from First Data regarding the situation. We
then began searching for data on other banks to see what we could
find, and we came up with at least 5 other small banks posting notices
regarding credit/debit cards. We wrote a brief post about what we
thought we were seeing, and updated it as things changed.

We knew we had stumbled onto something large, but we thought it was
involving First Data. The verdict is still out on whether Forcht Bank
had anything to do with Heartland, as there are very conflicting
reports about this, but our assumption for the time being is that it
is the same breach.

We sounded alarms, and contacted several reporters and bloggers that
we had worked with in the past. One or two articles later, the cat was
out of the bag, and Heartland issued a public statement regarding
their breach. From there, other media outlets fed on the news, and
here we are.

At this time, banks around the country are being notified, and are
issuing new cards to their customers. We still have no total number
affected, but there has been speculation of 100 million cards. Some
are speculating that the total may end up being larger. If it is that
high or higher, it would be the largest data loss incident ever
reported. It is being reported that fraud is being attributed to this
breach.

There are still significant questions that are unanswered, such as:
How many people were affected, are we seeing more than one breach, and
how exactly did this happen?. We know it has been attributed to
malicious software or something of that nature, but the "how" question
is more along the lines of, how did PCI-DSS required controls not stop
this from happening?
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)

Tenable Network Security offers data leakage and compliance monitoring
solutions for large and small networks. Scan your network and monitor your
traffic to find the data needing protection before it leaks out!
http://www.tenablesecurity.com/products/compliance.shtml

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]