A Famous Data Security Breach & PCI Case Study: Four Years Later

PCI compliance data security study

Heartland Payment Systems (HPS) became famous in January 2009 for something it didn't want to be famous for: it was the victim of one of the largest data security breaches in U.S. history, with tens of millions of cardholder records possibly lost - the actual number has never been determined. The malware that surreptitiously stole and stored the account numbers was active for an estimated four months at a time when HPS was processing 100 million transactions per month.

Now, nearly four years later, HPS Chairman and CEO Robert O. Carr is speaking publicly about his company's experience and the lessons learned. It's a fascinating and dramatic story - one you didn't get at the time of the news reports on the breach, one that can only be told now. And it reinforces the adage that being compliant with the Payment Card Industry Data Security Standards (PCI DSS) doesn't mean you're secure.

I attended Carr's presentation on October 16 to the Technology Association of Georgia (TAG) in Atlanta. This report is based on Carr's remarks.

Facts about the Data Security Breach:

  • The compromise came through a SQL injection attack on the company's website. Heartland immediately found out about it, and thought they had eradicated the malware.
  • Roughly six months later, in mid-May 2008, the malware made the leap from the corporate network to the payment processing network, but HPS didn't know that at the time.
  • Two weeks prior to the date the payment system was compromised, HPS was approved by their Qualified Security Assessor (QSA) as PCI compliant.
  • In late October 2008, HPS discovered they "might have a problem" based on information provided by one of the major card brands.
  • Three forensics firms hired by HPS analyzed their IT security network; all three said the HPS system was free of malware. In January 2009, HPS staff members found the malware.

What happened Next: Disclosure

  • The company's lawyers recommended a minimal level of disclosure about the breach, but Carr decided against that policy. HPS had a tradition of open communications with employees and customers, and Carr decided that he wanted to maintain that policy and share information as fully as possible. "We did a good job of damage control," he said during his October 16 speech.
  • The company paid a heavy price. The stock price fell 78% in the weeks after disclosure, and 5,000 of the company's 250,000 merchants left. HPS was delisted by Visa and MasterCard. Four months later, VISA reinstated HPS.

The Full Cost:

  • The company suffered a $170 million loss. Although $20 million was covered by insurance, their net loss was $150 million.

Lessons Learned, all from Carr:

  • "You can't just rely on firewalls."
  • "Knowledge of security threats should not be viewed as a competitive advantage." When it comes to threats, companies should share information with peers and collaborate.
  • HPS did not have an incident response plan in place at the time of the breach. It does now.
  • The malware was able to move from HPS's corporate network to its payment processing system because of "human error."
  • "You can't afford to have anyone in a position where they can make bad decisions that hurt you and help the bad guys," he said.

Positive Developments from the Breach:

  • HPS became very aggressive about data security as well as PCI compliance after the breach. It now pursues a policy of encrypting cardholder data from end to end - from the POS terminal to the end of the payment process.
  • HPS worked with a Taiwanese firm to develop a more secure POS terminal for its merchants with encrypting hardware built-in. Now HPS believes its data security technology and processes are a competitive advantage.
  • Carr helped initiate a new group within FS-ISAC to promote information sharing: the FS-ISAC Payment Processors Information Sharing Council.
  • The leader of the hacking group, Albert Gonzalez, pleaded guilty and is serving a 20-year prison sentence. It was the longest sentence ever given for a cybercrime, according to SC Magazine. (HPS was not the only victim of Gonzalez --- others included TJX, Hannaford and 7-Eleven.)
  • Heartland's stock price and market capitalization have recovered the levels they had prior to the breach.

While the HPS breach made headline news and cost the company millions of dollars, it could potentially have been avoided. What about your organization? Are you relying on PCI compliance to protect cardholder and business data, or are you actively pursuing a more comprehensive information security strategy? To learn more about PCI compliance and how Dell SecureWorks can help, visit our PCI Compliance Resource Center.

Back to all Blogs

Talk with an Expert

Thank you for submitting the form! We have received your request. A Secureworks team member will contact you within one business day.