August 20, 2010 9:49 AM
- Text
Data Breach Pits Police Against Processor
(CBS)
This column was written by Evan Schuman, the editor of StorefrontBacktalk, a site that tracks retail technology, e-commerce and security issues. Retail Realities appears every Friday. Evan can be reached at e-mail and on Twitter.
Heartland Payment Systems again finds itself in the glaring light of a data breach probe, but this time, the injuries are almost entirely self-inflicted. The incident in question is the Austin, Texas, data breach of several hundred payment cards from a four-location Greek cafeteria-which one Austin detective said crafts a terrific baklava-that happens to use Heartland as its processor.
A preliminary investigation by the Austin Police Department Financial Crimes Unit-which knows its way around credit card theft-ruled out a skimming attack against Tinos Greek Café. That placed the attention on a database of the cards used at Tinos, either in Tinos computers (just PCs) or at Heartland, said Sgt. Matthew Greer of that financial crimes unit.
When Greer was quoted-and possibly misquoted-at a local television station saying the fault was definitely at Heartland, the company decided to issue a statement defending itself. Although the media relations advice on doing so is mixed-does the processor risk thrusting more attention on the negative story? Is ignoring it a better choice?-Heartland was fully within its rights to do so.
But the problems cropped up because Heartland went beyond a statement that said something like "We have no knowledge of a breach at Heartland, but we await the completion of forensic investigations to know for certain" and ventured into comments that range from misleading to irrelevant and possibly even reckless.
Heartland's statement said two things that were problematic. First, it opened with this: "Heartland Payment Systems has confirmed with the United States Secret Service that it is not a target in the investigation of data theft at one Austin, Texas-area restaurant."
There's no way to interpret that other than to say it was an attempt to imply that the Secret Service had investigated this matter and concluded Heartland was not at fault. In actual fact, the Secret Service has not investigated this matter yet, nor has Visa, MasterCard, Tinos or even Heartland. The phrase "not a target of the investigation" is horribly misleading.
It has nothing whatsoever to do with assigning the fault for a data breach. It's a federal term for a criminal investigation. In the TJX breach, which the Secret Service did thoroughly investigate, TJX was never the target. Albert Gonzalez and his crew were the targets. So to say that Heartland was not a target of an investigation that hasn't even started is stupendously misleading.
But the next part of the statement gets even more fact-deprived. Heartland CIO Steve Elefant issued a quote that said: "The intrusion likely occurred in the third-party point-of-sale system used at the merchant location or as a result of other fraud. The Heartland system has not been compromised in any way."
This is the sad part. If Heartland had simply waited for the results of various full-fledged probes-assuming they're ever launched-it might have been able to say those things accurately. But the company issued that statement on August 13, long before the computers at Tinos had even been examined by anyone. (As of August 18, they had still yet to be examined, according to the owner of Tinos.) Stating as fact that Heartland "has not been compromised in any way" before any investigation has begun seems reckless.
Elefant defended the phrasing. "I don't think it's premature at all," he said, because "we have people who monitor this 24 hours a day" and Heartland would have seen activity had it been breached directly. In other words, Elefant said, because fraudulent activity was only identified with Tinos, that's where the breach must have been.
It's a very fair point. But it's one that would support a statement saying, "Heartland has no reason to believe it was breached." And that statement is very different from a declaration saying the company wasn't "compromised in any way."
Heartland pushes its security encryption programs with the zeal of a former smoker chasing lunchtime smokers away from his building. And for good reason: Heartland last year confirmed that it has been the victim of what might be the largest data security breach of any card processor, with more than $111 million in cleanup costs. It got so bad that Visa even too the extremely unusual step of removing them from a security-compliant list of processors, although Visa bizarrely still allowed them to process transactions while suspended. (Don't try and understand it while sober. It won't work.)
After that breach and those lawsuits calmed down, Heartland took the lead in what has become the end-to-end encryption movement, while suing another security firm to stop suggesting to Heartland's customers that they rethink their processor choice. Even in that litigation, Heartland's aggressiveness has not always slowed down for completely candid explanations.
Payment card processing is a confidence game. No, not in the con-man sense (well, not usually) but in needing to engender a strong emotional sense of confidence. And unnecessarily over-reaching in statements involving breaches-especially when Heartland is in the history books as housing one of the worst data breaches in payment card history-is certainly asking for trouble.
Let's look a bit more closely at what seems to have happened with Tinos. Tinos owner Jeff Nouri said he first learned of the breach on August 8 when customers started calling the restaurant to complain of false charges on their cards. Nouri said he believes his restaurants have not been storing any payment card data in their systems; rather, that data was sent directly to Heartland. But, Nouri added, he was awaiting a forensic analysis of his computers to be certain.
Nouri said he took comfort in the fact that customers swipe their cards at the POS-which uses ValuePOS software-and that his employees never have access to the card for more than a few seconds. Greer, of Austin PD's financial crimes unit, said he was confident the police investigation had ruled out a skimmer accessing the cards as they were swiped.
Greer said he ruled out a skimmer because of the locations where the stolen numbers were used (Europe, South America and Asia) and the multi-week and sometimes multi-month delay between time of theft and time of use. The typical pattern with skimming, he said, is usage within 100 miles of the victim and rapid usage. "We would have seen a lot more cards showing up in the Austin area and a lot quicker" had it been a skimmer, Greer said.
Heartland's Elefant disputed this pattern and said he has often seen skimmed attacks resulting in faraway charges that may not materialize for an extended period of time. (We're inclined to agree with Elefant on that one. Skimming fraud patterns tend to be all over the map.)
The opinions expressed in this commentary are solely those of the author.
By Evan Schuman
Special to CBSNews.com
Heartland Payment Systems again finds itself in the glaring light of a data breach probe, but this time, the injuries are almost entirely self-inflicted. The incident in question is the Austin, Texas, data breach of several hundred payment cards from a four-location Greek cafeteria-which one Austin detective said crafts a terrific baklava-that happens to use Heartland as its processor.
A preliminary investigation by the Austin Police Department Financial Crimes Unit-which knows its way around credit card theft-ruled out a skimming attack against Tinos Greek Café. That placed the attention on a database of the cards used at Tinos, either in Tinos computers (just PCs) or at Heartland, said Sgt. Matthew Greer of that financial crimes unit.
When Greer was quoted-and possibly misquoted-at a local television station saying the fault was definitely at Heartland, the company decided to issue a statement defending itself. Although the media relations advice on doing so is mixed-does the processor risk thrusting more attention on the negative story? Is ignoring it a better choice?-Heartland was fully within its rights to do so.
But the problems cropped up because Heartland went beyond a statement that said something like "We have no knowledge of a breach at Heartland, but we await the completion of forensic investigations to know for certain" and ventured into comments that range from misleading to irrelevant and possibly even reckless.
Heartland's statement said two things that were problematic. First, it opened with this: "Heartland Payment Systems has confirmed with the United States Secret Service that it is not a target in the investigation of data theft at one Austin, Texas-area restaurant."
There's no way to interpret that other than to say it was an attempt to imply that the Secret Service had investigated this matter and concluded Heartland was not at fault. In actual fact, the Secret Service has not investigated this matter yet, nor has Visa, MasterCard, Tinos or even Heartland. The phrase "not a target of the investigation" is horribly misleading.
It has nothing whatsoever to do with assigning the fault for a data breach. It's a federal term for a criminal investigation. In the TJX breach, which the Secret Service did thoroughly investigate, TJX was never the target. Albert Gonzalez and his crew were the targets. So to say that Heartland was not a target of an investigation that hasn't even started is stupendously misleading.
But the next part of the statement gets even more fact-deprived. Heartland CIO Steve Elefant issued a quote that said: "The intrusion likely occurred in the third-party point-of-sale system used at the merchant location or as a result of other fraud. The Heartland system has not been compromised in any way."
This is the sad part. If Heartland had simply waited for the results of various full-fledged probes-assuming they're ever launched-it might have been able to say those things accurately. But the company issued that statement on August 13, long before the computers at Tinos had even been examined by anyone. (As of August 18, they had still yet to be examined, according to the owner of Tinos.) Stating as fact that Heartland "has not been compromised in any way" before any investigation has begun seems reckless.
Elefant defended the phrasing. "I don't think it's premature at all," he said, because "we have people who monitor this 24 hours a day" and Heartland would have seen activity had it been breached directly. In other words, Elefant said, because fraudulent activity was only identified with Tinos, that's where the breach must have been.
It's a very fair point. But it's one that would support a statement saying, "Heartland has no reason to believe it was breached." And that statement is very different from a declaration saying the company wasn't "compromised in any way."
Heartland pushes its security encryption programs with the zeal of a former smoker chasing lunchtime smokers away from his building. And for good reason: Heartland last year confirmed that it has been the victim of what might be the largest data security breach of any card processor, with more than $111 million in cleanup costs. It got so bad that Visa even too the extremely unusual step of removing them from a security-compliant list of processors, although Visa bizarrely still allowed them to process transactions while suspended. (Don't try and understand it while sober. It won't work.)
After that breach and those lawsuits calmed down, Heartland took the lead in what has become the end-to-end encryption movement, while suing another security firm to stop suggesting to Heartland's customers that they rethink their processor choice. Even in that litigation, Heartland's aggressiveness has not always slowed down for completely candid explanations.
Payment card processing is a confidence game. No, not in the con-man sense (well, not usually) but in needing to engender a strong emotional sense of confidence. And unnecessarily over-reaching in statements involving breaches-especially when Heartland is in the history books as housing one of the worst data breaches in payment card history-is certainly asking for trouble.
Let's look a bit more closely at what seems to have happened with Tinos. Tinos owner Jeff Nouri said he first learned of the breach on August 8 when customers started calling the restaurant to complain of false charges on their cards. Nouri said he believes his restaurants have not been storing any payment card data in their systems; rather, that data was sent directly to Heartland. But, Nouri added, he was awaiting a forensic analysis of his computers to be certain.
Nouri said he took comfort in the fact that customers swipe their cards at the POS-which uses ValuePOS software-and that his employees never have access to the card for more than a few seconds. Greer, of Austin PD's financial crimes unit, said he was confident the police investigation had ruled out a skimmer accessing the cards as they were swiped.
Greer said he ruled out a skimmer because of the locations where the stolen numbers were used (Europe, South America and Asia) and the multi-week and sometimes multi-month delay between time of theft and time of use. The typical pattern with skimming, he said, is usage within 100 miles of the victim and rapid usage. "We would have seen a lot more cards showing up in the Austin area and a lot quicker" had it been a skimmer, Greer said.
Heartland's Elefant disputed this pattern and said he has often seen skimmed attacks resulting in faraway charges that may not materialize for an extended period of time. (We're inclined to agree with Elefant on that one. Skimming fraud patterns tend to be all over the map.)
The opinions expressed in this commentary are solely those of the author.
By Evan Schuman
Special to CBSNews.com
Latest Now in MoneyWatch
- Could "web-lining" be dangerous?
- Insurers respond cautiously to contraceptive plan
- Judge: Legally, breastfeeding not related to pregnancy
- Budget deficit drops to $27 billion in January
- Why the Powerball Jackpot is part of my investment strategy
- Is the new VW Beetle diesel worth the money?
- Consumer sentiment highlights risks to recovery
- Valentine blues? 10 best cities to be single
- December trade deficit widens to $48.8 billion
- Alcatel-Lucent returns to profit in 2011
- 6 things never to say in a performance review
- $26B mortgage deal: Who gets the money?
- Friendly's CEO steps down
- Quarterly loss hits $3.3B at Postal Service
- Greeks rail against cuts as EU demands more
- 6 things you should never share on Facebook
- Make moves now to increase financial aid
Latest CBS News Headlines
on Facebook
on CBS News
- US sex abuse lawsuit against Vatican dismissed
- US sex abuse lawsuit against Vatican dismissed
- Italy: Wrecked cruise ship moves in rough seas
- Swiss detain man over gun linked to German murders
on Facebook
- Adele sings a cappella for Anderson Cooper
- Occupy protestors kicked out of CPAC
- Beyonce and Jay-Z post first photos of Blue Ivy Carter
on CBS News
