I have been asked by many to comment on the breach news regarding credit-card processor Heartland. Unfortunately I can not reveal too many details, but I would like to point out this smack down on Avivah Litan of Gartner.
“I would call this the largest breach ever,” Ms. Litan said.
But Robert Baldwin, Heartland’s president and chief financial officer, called her estimate a “totally fictional number.” The company added that, since it’s too early to say how many records were accessed, calling it the largest-ever breach would be “speculative.”
Ouch. Hahaha. But seriously, you can count on Litan to make some crazy statements about security, as I’ve pointed out before.
[Kiosks] are highly prone – given their public locations – to criminal tampering. They are a perfect target for thieves.
Perfect target. Largest breach ever. See what I mean?
I predict you will see the most fallout in this case from the sophistication of the attackers. It goes right to the core debate about encryption on the wire, as well as detection of customized malware (the sort of stuff your off-the-shelf anti-virus can’t see). A forensics investigator found the evidence of this breach, which should tell you a lot about the level of security awareness that is now required when dealing with major assets. Companies can no longer bank on simple log analysis if they want to run a safe shop. Thus, despite the sour economy, demand for correlation software as well as security investigators is rising for a reason. In this case PINs are not believed to have been exposed, but unencrypted data for hundreds of thousands of merchants was captured by attackers as it was transmitted to the card brands.
Kind of reminds me of the recent Nevada encryption law…any guesses where the regulations are going next?