Heartland Self-Inflicts More Data Breach Injuries

Written by Evan Schuman
August 19th, 2010

Heartland Payment Systems again finds itself in the glaring light of a data breach probe, but this time, the injuries are almost entirely self-inflicted. The incident in question is the Austin, Texas, data breach of several hundred payment cards from a four-location Greek cafeteria—which one Austin detective said crafts a terrific baklava—that happens to use Heartland as its processor.

A preliminary investigation by the Austin Police Department Financial Crimes Unit—which knows its way around credit card theft—ruled out a skimming attack against Tinos Greek Café. That placed the attention on a database of the cards used at Tinos, either in Tinos computers (just PCs) or at Heartland, said Sgt. Matthew Greer of that financial crimes unit.

When Greer was quoted—and possibly misquoted—at a local television station saying the fault was definitely at Heartland, the company decided to issue a statement defending itself. Although the media relations advice on doing so is mixed—does the processor risk thrusting more attention on the negative story? Is ignoring it a better choice?—Heartland was fully within its rights to do so.

But the problems cropped up because Heartland went beyond a statement that said something like “We have no knowledge of a breach at Heartland, but we await the completion of forensic investigations to know for certain” and ventured into comments that range from misleading to irrelevant and possibly even reckless.

Heartland’s statement said two things that were problematic. First, it opened with this: “Heartland Payment Systems has confirmed with the United States Secret Service that it is not a target in the investigation of data theft at one Austin, Texas-area restaurant.”

There’s no way to interpret that other than to say it was an attempt to imply that the Secret Service had investigated this matter and concluded Heartland was not at fault. In actual fact, the Secret Service has not investigated this matter yet, nor has Visa, MasterCard, Tinos or even Heartland. The phrase “not a target of the investigation” is horribly misleading.

It has nothing whatsoever to do with assigning the fault for a data breach. It’s a federal term for a criminal investigation. In the TJX breach, which the Secret Service did thoroughly investigate, TJX was never the target. Albert Gonzalez and his crew were the targets. So to say that Heartland was not a target of an investigation that hasn’t even started is stupendously misleading.

To be explicit, the federal enforcement use of “target” is applicable to a federal criminal probe. Even if—for the sake of argument—the Secret Service knew for a fact that Heartland had been reckless and careless and irresponsible with the payment card data, Heartland still couldn’t have possibly been a target because reckless handling of payment card data is not illegal in this country, nor any state nor municipality. (Whether a federal law should be passed making such conduct illegal is another story.)

But the next part of the statement gets even more fact-deprived. Heartland CIO Steve Elefant issued a quote that said: “The intrusion likely occurred in the third-party point-of-sale system used at the merchant location or as a result of other fraud. The Heartland system has not been compromised in any way.”

This is the sad part. If Heartland had simply waited for the results of various full-fledged probes—assuming they’re ever launched—it might have been able to say those things accurately. But the company issued that statement on August 13, long before the computers at Tinos had even been examined by anyone. (As of August 18, they had still yet to be examined, according to the owner of Tinos.) Stating as fact that Heartland “has not been compromised in any way” before any investigation has begun seems reckless.

Elefant defended the phrasing. “I don’t think it’s premature at all,” he said, because “we have people who monitor this 24 hours a day” and Heartland would have seen activity had it been breached directly. In other words, Elefant said, because fraudulent activity was only identified with Tinos, that’s where the breach must have been.

It’s a very fair point. But it’s one that would support a statement saying, “Heartland has no reason to believe it was breached.” And that statement is very different from a declaration saying the company wasn’t “compromised in any way.”

Payment card processing is a confidence game. No, not in the con-man sense (well, not usually) but in needing to engender a strong emotional sense of confidence. And unnecessarily over-reaching in statements involving breaches—especially when Heartland is in the history books as housing one of the worst data breaches in payment card history—is certainly asking for trouble.

Let’s look a bit more closely at what seems to have happened with Tinos. Tinos owner Jeff Nouri said he first learned of the breach on August 8 when customers started calling the restaurant to complain of false charges on their cards. Nouri said he believes his restaurants have not been storing any payment card data in their systems; rather, that data was sent directly to Heartland. But, Nouri added, he was awaiting a forensic analysis of his computers to be certain.

Nouri said he took comfort in the fact that customers swipe their cards at the POS—which uses ValuePOS software—and that his employees never have access to the card for more than a few seconds. Greer, of Austin PD’s financial crimes unit, said he was confident the police investigation had ruled out a skimmer accessing the cards as they were swiped.

Greer said he ruled out a skimmer because of the locations where the stolen numbers were used (Europe, South America and Asia) and the multi-week and sometimes multi-month delay between time of theft and time of use. The typical pattern with skimming, he said, is usage within 100 miles of the victim and rapid usage. “We would have seen a lot more cards showing up in the Austin area and a lot quicker” had it been a skimmer, Greer said.

Heartland’s Elefant disputed this pattern and said he has often seen skimmed attacks resulting in faraway charges that may not materialize for an extended period of time. (We’re inclined to agree with Elefant on that one. Skimming fraud patterns tend to be all over the map.)


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.