Feds Identify Overseas Suspect In Heartland Case
Written by Evan SchumanThe Secret Service has identified an overseas suspect in the Heartland data breach case and the matter has been turned over to the U.S. Justice Department, according to someone close to the investigation.
Few additional law enforcement details were immediately available, other than that the government believes it has identified the cyber thief involved, has “pinpointed” that suspect’s location and that it’s outside of North America, the source said.
A little more background on the case was also disclosed Friday (Jan. 23) by Heartland itself. The processor first learned of the breach (when alerted by Visa and Mastercard) in late October/early November, said Heartland spokesman Jason Maloni. Previously, the only comment had been that it had been alerted in late Fall, which could have been as late as Dec. 20.
Maloni also revealed that when the sniffer software had been discovered by Heartland, the application had already been deactivated, presumably by the cyber thieves who had planted it. “It was inactive when we found it,” Maloni said.
Maloni said he didn’t more about the application’s inactive status, such as whether it had been fully terminated or whether it could have been merely dormant, programmed to awaken at some future point. If the Trojan had been deactivated, that could mean that the thieves learned they were being hunted and shut off many such applications to try and make it more difficult for investigators to discover their location.
Given the word that the Secret Service believes it has located the prime suspect, it raises the possibility that law enforcement was already on their trail long before the Heartland spyware was detected.
Maloni also confirmed that Heartland had been certified as PCI compliant and he now provided a certification timeframe: April 2008.
Heartland’s CEO, Robert O. Carr, issued a statement Friday that his company is faring well despite the announcement of the breach. Heartland has “added more than 400 merchants to its client base in the past few days, exceeding results for the same period from last year,” Carr said. “Despite the headwinds of the economy and attacks by some of our competitors, we have installed new merchants, new payroll clients and new check management clients since our disclosure of the breach on Tuesday morning.”
The statement didn’t say when those negotiations began, but it’s likely that most—if not all—of those negotiations had been well under way by the time the breach was announced on Jan. 20, so it’s not as though those 400 retailers were moved to join Heartland after they heard of the breach. Then again, it also means that at least those 400 weren’t scared away from signing after they learned of the breach.
Carr also took the opportunity to push the industry for more openness and data-sharing when it comes to cyber assaults. “I have talked to many payments leaders who are also concerned about the increasing success and frequency of cyber crime attacks,” Carr said. “Up to this point, there has been no information sharing, thus empowering cyber criminals to use the same or slightly modified techniques over and over again. I believe that had we known the details about previous intrusions, we might have found and prevented the problem we learned of last week.”
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
