Heartland on Defense at Senate HearingSenator 'Astonished" That Breach Lasted So Long
At a panel hearing Monday on protecting industry against growing cyber threats, Sen. Susan Collins, R.-Maine, asked Heartland CEO Robert Carr to explain how this delay happened. Carr responded that a breach is usually detected when the processing payer is notified of fraudulent use of cards, and that didn't occur until the end of 2008.
"Isn't there software in the systems to detect such a breach?" Collins asked.
"There is, and the cyber criminals are very good at masking themselves," Carr replied. "To be able to scan systems to determine what the malware is, you have to understand something about the attack vector, and you need to know something about the malware to find it. All of us in the industry go through annual assessments, but the bad guys are working together to get around all those assessment."
Carr told the panel Heartland is taking two major steps to prevent this type of breach to reoccur. Working through the Financial Services Information Sharing and Analysis Center, Heartland and other payment processors established Payments Processing Information Sharing, a forum for sharing information about fraud, threats, vulnerabilities and risk mitigation practices.
He also said Heartland is working to deploy end-to-end encryption, known as E3, to render data unreadable to outsiders from the point of card swipe. "Our goal is to completely remove payment account numbers of credit and debit cards and magnetic stripe data such as expiration date, service codes and other data, so that it is never accessible in a usable format in the merchant and processor systems," Carr said.
Authorities allege that Albert Gonzalez, who pleaded guilty last month to attacks on retailers TJX, Barnes and Noble, Office Max and Dave & Buster, was responsible for the Heartland breach as well as others. The Heartland breach, revealed in January, affected some 130 million credit cards.
Carr couldn't quantify the loss to customers, banks and others of the breach, characterizing the attacks as a "significant compromise," and told the committee Heartland took a $32 million charge against earnings to cover costs for forensic examination, legal services and potential settlement for claims.
Asked by panel chairman Joseph Lieberman, I-Conn., if he wished he had done something different to prevent the breach, Carr replied that he should have worked with industry partners sooner to develop a defense from hackers, something the industry is now doing. "I wish we had done that earlier," he said.