Comments on: Lack of transparency on Heartland breach http://lastwatchdog.com/lack-of-transparency-on-heartland-breach/ on Internet security by Byron Acohido Fri, 03 Feb 2012 18:38:32 +0000 hourly 1 http://wordpress.org/?v=3.0.4 By: Mary CO http://lastwatchdog.com/lack-of-transparency-on-heartland-breach/#comment-109 Mary CO Fri, 13 Feb 2009 21:35:16 +0000 http://zerodaythreat.com/?p=289#comment-109 I'm one whose credit card info was poached, and I'm just not as charitable as you, Byron. Intentional or not, Heartland's announcement was lost in all the inaugural frenzy. And Heartland hasn't yet offered credit monitoring to affected consumers. So it would seem that you're right: Heartland hasn't learned ANY lessons from the TJX corp's mishandling of the fallout of their breach. But having lived with credit/data "vulnerability" as a result of one Heartland hack and 2 corporate laptop thefts, I've learned a lesson: I do not trust that corporate or civil entities are concerned with protecting my personal information. O/T -- Congrats from a fellow OLS alum on your new book, Byron! Starting it this weekend. I’m one whose credit card info was poached, and I’m just not as charitable as you, Byron. Intentional or not, Heartland’s announcement was lost in all the inaugural frenzy. And Heartland hasn’t yet offered credit monitoring to affected consumers.

So it would seem that you’re right: Heartland hasn’t learned ANY lessons from the TJX corp’s mishandling of the fallout of their breach.

But having lived with credit/data “vulnerability” as a result of one Heartland hack and 2 corporate laptop thefts, I’ve learned a lesson: I do not trust that corporate or civil entities are concerned with protecting my personal information.

O/T — Congrats from a fellow OLS alum on your new book, Byron! Starting it this weekend.

]]> By: Mike Rothman http://lastwatchdog.com/lack-of-transparency-on-heartland-breach/#comment-96 Mike Rothman Thu, 22 Jan 2009 22:19:46 +0000 http://zerodaythreat.com/?p=289#comment-96 I don't think it matters how many identities were compromised. I can safely say it's greater than 1 million and probably less than a billion. Worrying about Heartland (and TJX for that matter) divulging that information is more about headline fodder for reporters than dealing with the root cause of the problem. This is the 2nd "PCI compliant" firm suffering a massive data breach. PCI will face a crisis of confidence unless the standards council figures out how to make the requirements more relevant to today's new attack vectors. I wrote a piece on the eIQ blog about the breach and one potential approach to defend against these kinds of attacks. http://blog.eiqnetworks.com/2009/01/22/heartland-proves-that-log-data-is-not-enough/ As another commenter made the point, you can't stop these attacks. But you can find out about them much faster and contain the damage. I don’t think it matters how many identities were compromised. I can safely say it’s greater than 1 million and probably less than a billion. Worrying about Heartland (and TJX for that matter) divulging that information is more about headline fodder for reporters than dealing with the root cause of the problem.

This is the 2nd “PCI compliant” firm suffering a massive data breach. PCI will face a crisis of confidence unless the standards council figures out how to make the requirements more relevant to today’s new attack vectors.

I wrote a piece on the eIQ blog about the breach and one potential approach to defend against these kinds of attacks. http://blog.eiqnetworks.com/2009/01/22/heartland-proves-that-log-data-is-not-enough/

As another commenter made the point, you can’t stop these attacks. But you can find out about them much faster and contain the damage.

]]> By: Identity Theft Expert http://lastwatchdog.com/lack-of-transparency-on-heartland-breach/#comment-95 Identity Theft Expert Thu, 22 Jan 2009 21:03:04 +0000 http://zerodaythreat.com/?p=289#comment-95 You wrote “Heartland insists that announcing the breach on Inauguration Day was pure coincidence. Let’s grant them that.” Are you kidding??? There are no coincidences when a CEO like Bob Carr from Heartland Payment Systems issues a press release like this. Bob has though about every angle (ten times over) to try and minimize the damages to his company. Issuing a press release on Barack Obama’s inauguration day was both sneaky as it was brilliant. Here is a good video regarding this angle: http://www.youtube.com/watch?v=fMYdxCvM3do&feature=channel_page Best regards, Keith www.insideIDtheft.info You wrote “Heartland insists that announcing the breach on Inauguration Day was pure coincidence. Let’s grant them that.”

Are you kidding???
There are no coincidences when a CEO like Bob Carr from Heartland Payment Systems issues a press release like this.
Bob has though about every angle (ten times over) to try and minimize the damages to his company.
Issuing a press release on Barack Obama’s inauguration day was both sneaky as it was brilliant.

Here is a good video regarding this angle:
http://www.youtube.com/watch?v=fMYdxCvM3do&feature=channel_page

Best regards,
Keith
http://www.insideIDtheft.info

]]> By: Adam Levin http://lastwatchdog.com/lack-of-transparency-on-heartland-breach/#comment-94 Adam Levin Thu, 22 Jan 2009 20:14:03 +0000 http://zerodaythreat.com/?p=289#comment-94 The Heartland breach is but another confirmation that the level of hacker sophistication continues to evolve and that we must never underestimate their ingenuity or capacity for stealth. Unfortunately, I anticipate that this type of criminal activity will become even more prevalent during this period of economic turmoil. Therefore, it is imperative that business, the Obama Administration and the new Congress keep privacy, security and identity theft issues on the front burner. Just as many public companies time the release of negative earnings reports to coincide with the end of the trading day on Friday, I am not surprised that disclosure of this particular breach was made on Inauguration Day – certainly one of the most heavily anticipated political events of our generation. This breach is yet another reminder of why consumers must spend a few minutes every day reviewing online the activity in their bank and credit card accounts and feeling completely comfortable that every transaction they see is correct. All the best, Adam K. Levin Chairman and Co-Founder Identity Theft 911 The Heartland breach is but another confirmation that the level of hacker sophistication continues to evolve and that we must never underestimate their ingenuity or capacity for stealth. Unfortunately, I anticipate that this type of criminal activity will become even more prevalent during this period of economic turmoil. Therefore, it is imperative that business, the Obama Administration and the new Congress keep privacy, security and identity theft issues on the front burner.

Just as many public companies time the release of negative earnings reports to coincide with the end of the trading day on Friday, I am not surprised that disclosure of this particular breach was made on Inauguration Day – certainly one of the most heavily anticipated political events of our generation.

This breach is yet another reminder of why consumers must spend a few minutes every day reviewing online the activity in their bank and credit card accounts and feeling completely comfortable that every transaction they see is correct.

All the best,

Adam K. Levin
Chairman and Co-Founder
Identity Theft 911

]]> By: JT Pickering http://lastwatchdog.com/lack-of-transparency-on-heartland-breach/#comment-93 JT Pickering Thu, 22 Jan 2009 17:52:06 +0000 http://zerodaythreat.com/?p=289#comment-93 Anyone in security or involved with PCI DSS knows that compliance does not indicate that a breech will not occur. Compliance is expensive and the dirty little secret is that many companies will try to get compliant as quickly and inexpensively as possible. I'm not convinced that PCI DSS compliance is not a safety for a breech. Some questions that lead us don other paths are: Who certified the breeched companies as compliant? Is there a pattern with the certifying company? What type and level was the breeched company? A pattern may develop there as PCI DSS requirements vary on the type and level. When the breeched companies answered the PCI DSS questionnaires, what answers did they provide? It is unlikely anyone will gain access to the questionnaires, but it would be interesting to have an independent 3rd party go through the questionnaires to confirm and find patterns. Anyone in security or involved with PCI DSS knows that compliance does not indicate that a breech will not occur. Compliance is expensive and the dirty little secret is that many companies will try to get compliant as quickly and inexpensively as possible. I’m not convinced that PCI DSS compliance is not a safety for a breech. Some questions that lead us don other paths are: Who certified the breeched companies as compliant? Is there a pattern with the certifying company? What type and level was the breeched company? A pattern may develop there as PCI DSS requirements vary on the type and level. When the breeched companies answered the PCI DSS questionnaires, what answers did they provide? It is unlikely anyone will gain access to the questionnaires, but it would be interesting to have an independent 3rd party go through the questionnaires to confirm and find patterns.

]]> By: Graham Cluley, Sophos http://lastwatchdog.com/lack-of-transparency-on-heartland-breach/#comment-91 Graham Cluley, Sophos Thu, 22 Jan 2009 16:53:42 +0000 http://zerodaythreat.com/?p=289#comment-91 It's funny how Heartland revealed their data breach on inauguration day, and RBS WorldPay admitted its incident that has affected 1.5 million people on 23 December. Maybe we should work out other "big dates" and "holidays" coming up in advance, and run a sweepstake on which companies may be trying to slip out their bad news then? It’s funny how Heartland revealed their data breach on inauguration day, and RBS WorldPay admitted its incident that has affected 1.5 million people on 23 December.

Maybe we should work out other “big dates” and “holidays” coming up in advance, and run a sweepstake on which companies may be trying to slip out their bad news then?

]]>