OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Dataloss] Update: Heartland breach shows why compliance is not enough

From: security curmudgeon (jerichoattrition.org)
Date: Thu Jan 07 2010 - 02:59:33 CST


---------- Forwarded message ----------
From: InfoSec News <alertsinfosecnews.org>

http://www.computerworld.com/s/article/9143158/Update_Heartland_breach_shows_why_compliance_is_not_enough?taxonomyId=17

By Jaikumar Vijayan
Computerworld
January 6, 2010

Nearly a year after Heartland Payment Systems Inc. disclosed what turned
out to be the biggest breach involving payment card data, the incident
remains a potent example of how compliance with industry standards is no
guarantee of security.

Princeton, N.J.-based Heartland last Jan. 20 disclosed that intruders had
broken into its systems and stolen data on what was later revealed to be a
staggering 130 million credit and debit cards. That number easily eclipsed
the 94 million cards that were compromised in the massive breach disclosed
by TJX Companies Inc. in 2007.

However, it wasn't just the scope of the Heartland breach that made it
remarkable, but also the company's insistence that it was certified as
fully compliant with the requirements of the Payment Card Industry Data
Security Standard (PCI DSS) when it was compromised.

In public comments after the breach, Heartland CEO Robert Carr
emphatically claimed the intrusion occurred even though the company had
implemented every single one of the security controls mandated by the PCI
standard. In an interview with Computerworld last June, Carr said the
breach pointed to both the sophistication of the attacks against Heartland
and the inadequacy of relying on PCI controls alone for data security.

[...]
_______________________________________________
Dataloss Mailing List (datalossdatalossdb.org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php