[ISN] Heartland CEO on Data Breach: QSAs Let Us Down

From: InfoSec News <alerts_at_private>
Date: Thu, 13 Aug 2009 04:11:37 -0500 (CDT)
http://www.csoonline.com/article/499527/Heartland_CEO_on_Data_Breach_QSAs_Let_Us_Down

By Bill Brenner
Senior Editor
CSO 
August 12, 2009

For Heartland Payment Systems Inc. CEO Robert Carr, the year did not 
start off well, to say the least.

In January, the Princeton, N.J.-based provider of credit and debit 
processing, payment and check management services was forced to 
acknowledge it had been the target of a data breach -- in hindsight, 
possibly the largest to date with 100 million credit and debit cards 
exposed to fraud.

In the following Q&A, Carr opens up about his company's data security 
breach. He explains how, in his opinion, PCI compliance auditors failed 
the company, how informing customers of the breach before the media had 
a chance to was the best response, and how other companies can avoid the 
pain Heartland has experienced.


Take us back to the moment you were told a breach may have happened. 
What was your first thought?

Carr: "It was a Monday night in January, just after dinner, when I was 
told data files were found on our servers that were not created by 
Heartland. That was a clear sign of trouble. It was a sleepless night. 
The question people always ask is what keeps me awake at night. Well, 
this is it."


What have you learned in recent months regarding how exactly the 
burglars were able to get in? What have investigators flagged in terms 
of the big security holes that were exploited?

Carr: "The audits done by our QSAs (Qualified Security Assessors) were 
of no value whatsoever. To the extent that they were telling us we were 
secure beforehand, that we were PCI compliant, was a major problem. The 
QSAs in our shop didn't even know this was a common attack vector being 
used against other companies. We learned that 300 other companies had 
been attacked by the same malware. I thought, 'You've got to be kidding 
me.' That people would know the exact attack vector and not tell major 
players in the industry is unthinkable to me. I still can't reconcile 
that."

[...]


________________________________________
Subscribe to InfoSec News
http://www.infosecnews.org
Received on Thu Aug 13 2009 - 02:11:37 PDT

This archive was generated by hypermail 2.2.0 : Thu Aug 13 2009 - 02:32:41 PDT