On January 20th of this year, Heartland Payment Systems reported that it suffered a data breach in 2008 (identified not by them but by Visa and MasterCard's monitoring programs). This was very significant because Heartland processes more than 100 million card transactions per month for about 250,000 customers.
It is also important for all of us because, according to their CEO, Heartland had received a passing grade on their Payment Card Industry (PCI) compliance and was relying on that external audit.
Board members, executives, IT security professionals, risk officers, compliance officers, and internal auditors should understand what happened and there are valuable lessons to be learned.
First, let's review what happened. This is an excerpt from Computerworld.
"A data breach disclosed today on January 20th by Heartland Payment Systems Inc. may well displace TJX Companies Inc.'s January 2007 breach in the record books as the largest ever involving payment data with potentially over 100 million cards being compromised.
"Heartland, a Princeton, N.J.-based provider of credit and debit card processing services, said that unknown intruders had broken into its systems sometime last year and planted malicious software to steal card data carried on the company's networks.
"Visa and MasterCard alerted Heartland of suspicious activity, triggering the company to hold an investigation by ‘several forensic investigators,' during which the intrusion was discovered, Robert Baldwin Jr., Heartland's president and chief financial officer, said in a statement. The company said the intrusion may have been the result of a "widespread global cyberfraud operation."
"Heartland claimed that no merchant data, cardholders' Social Security numbers, or unencrypted personal identification numbers (PIN), addresses or telephone numbers were compromised.
"But given that Heartland processes more than 100 million card transactions per month, it is very possible that the number of compromised credit and debit cards is at least that much, if not more, said Avivah Litan, an analyst at Gartner Inc. "It does look like the biggest ever," Litan said.
"'More radical security moves' need to be taken by payments industry as a whole to address the problem, she added. Such incidents show that the security requirements of the Payment Card Industry Data Security Standard being pushed by the major card companies is clearly not enough, Litan added."
In August, Heartland's CEO responded to Q&A on the data security breach. Below are excerpts from CSO Online.
Heartland Payment Systems Inc. CEO Robert Carr opens up about his company's data security breach, how compliance auditors failed to flag key attack vectors and what the big lessons are for other companies.
For Heartland Payment Systems Inc. CEO Robert Carr, the year did not start off well, to say the least.
In January, the Princeton, N.J.-based provider of credit and debit processing, payment and check management services was forced to acknowledge it had been the target of a data breach -- in hindsight, possibly the largest to date with 100 million credit and debit cards exposed to fraud.
In the following Q&A, Carr opens up about his company's data security breach. He explains how, in his opinion, PCI compliance auditors failed the company, how informing customers of the breach before the media had a chance to was the best response, and how other companies can avoid the pain Heartland has experienced.
What have you learned in recent months regarding how exactly the burglars were able to get in? What have investigators flagged in terms of the big security holes that were exploited?
Carr: "The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn't even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You've got to be kidding me. That people would know the exact attack vector and not tell major players in the industry is unthinkable to me'. I still can't reconcile that."
How did the QSAs respond when you expressed this view?
Carr: "In the post-Enron environment, the auditors have contracts with clients that essentially absolve them of gross negligence. The false reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn't understand the limitations of PCI and the entire assessment process. PCI compliance doesn't mean secure. We and others were declared PCI compliant shortly before the intrusions."
Do you see PCI DSS as an ineffective waste of effort, or is this a case where the standard was fine and the audits were off?
Carr: "If a smart person's job is to define a set of rules to keep merchants from being breached and they have to start somewhere, what they come up with is going to look something like PCI. There has to be a lowest-common-denominator set of rules. PCI could be improved, but the standard is fine. The problem is a system where you have a magnetic stripe that's exposed, the number is very valuable, and you can easily buy sniffer software off the shelf. Immediately after the Hannaford Supermarkets breach, where we learned a sniffer had been used, that was a whole new paradigm. That's when we started working on end-to-end encryption. Data-at-rest encryption was no longer enough. Data in transit can be captured."
You've no doubt moved aggressively to improve security. Talk about the specifics of what you've done in terms of technology and people policies.
Carr: "Four different card brands have their policies and ideas about security, and we've done everything asked of us. We must have more layers than anyone out there. Some specifics: We re-imaged all our servers -- nuked them, essentially -- and started over. We added additional network segmentation, much more intense monitoring, and added data loss prevention technology, specifically Symantec's Vontu product, which helps you find every place where a card number is stored."
A number of IT governance and security experts responded to the blaming of PCI auditors. Rich Mogull responded in an open letter, posted in his blog at http://securosis.com/blog. Here are some excerpts:
"I completely agree that the current system of standards and audits contained in the Payment Card Industry Data Security Standard is flawed and unreliable as a breach-prevention mechanism."
"That said, your attempts to place the blame of your security breach on your QSAs, your external auditors, are disingenuous at best.
"As the CEO of a large public company you clearly understand the role of audits, assessments, and auditors. You are also fundamentally familiar with the concepts of enterprise risk management and your fiduciary responsibility as an officer of your company. Your attempts to shift responsibility to your QSA are the accounting equivalent of blaming your external auditor for failing to prevent the hijacking of an armored car".
"The role of your QSA is to assure your compliance with the standard, not secure your organization from attack. Their role isn't even to assess your security defenses overall, but to make sure you meet the minimum standards of PCI."
I don't have any insider or special knowledge of the Heartland incident, but there are a number of important lessons that can be made learned by reflecting on the assertions by Carr and Mogull:
1. Boards and executives should understand what work is being done before placing reliance on it. Assurance providers should ensure their customers understand what assurance they are providing - and what they do not provide
The CEO asserts he was placing reliance on the PCI compliance audit. But as Mogull says, "The role of your QSA is to assure your compliance with the standard, not secure your organization from attack. Their role isn't even to assess your security defenses overall, but to make sure you meet the minimum standards of PCI."
Management is responsible for its systems of internal control and security. It can employ the services of others, whether internal audit or external assurance providers, but it should understand the extent and limits of the assurance provided. Carr seems to have ‘assumed', and we all know what assume means.
2. Being compliant with a standard does not mean you are secure
The Heartland breach is an excellent example of how you can be compliant with a standard, even one intended to reflect best practices in preventing a breach, and still suffer one. Management, security, risk, audit, and compliance professionals should look beyond the standard, whether an external one like PCI or an internal standard, and determine whether it is sufficient to manage the related risks to the organization. Complying with (or auditing to) a standard is not the same as managing (or auditing) the risk and its related controls.
3. Following the rules does not necessarily mean you meet the principles behind them
The bane of those of us in the US is that our accounting standards are rules-based instead of principles-based. I was at an audit committee meeting where the external auditors were challenged by the directors and management on why they had insisted on a large write-down of tax assets. They defended their position as being required by the rules of GAAP. I asked whether the resulting financial statements reflected a "true and fair view" of the company's results and financial position. They had to admit they did not, but the rules made them do it.
Outside the US, most of the world has principles-based standards. While there are murmurs that there is so much room for judgment that the standards are too loose, I still prefer and advocate principles-based rather than rules-based standards.
Rather than looking at compliance with rules and standards, let's step back and ask whether the principles behind those rules and standards have been achieved. It's quite possible, as was asserted for the PCI standards, that they standards are not adequate.
4. Using a list of best security practices, a standard audit program, or a checklist of required controls may mean you are missing the point
The lesson is clear from Heartland that following what was considered best practices, at a prior point, for other companies, may not be best practice for your organization. Understand the risks to the organization's strategies and objectives, then implement the controls necessary to manage those risks within organizational tolerances.
