Heartland Payment Systems: Data Breach Analysis

Submitted By: Khushaliben Shah (C0886036)

Meghaben Shah (C0)
Karan Virmani (C0)
Table Of Contents:

Introduction

Background

Company/People Involved

About the attack

Event occurrence

Technical Flaws

Technical Aspects

Preventive Measures

Policies to prevent future attacks

Conclusion

References
 Introduction

Heartland Payment Systems is a payment processing and technology company

headquartered in Princeton, New Jersey. The company was founded in 1997 and
provides a range of payment processing services to businesses of all sizes. It provides
a range of services, such as e-commerce solutions, point of sale systems, payroll
processing, and card payment processing.The company has made significant
investments in creating security technology and procedures to help protect the private
payment information of its consumers.The company serves over 300,000 businesses
across the United States and had received numerous awards and recognitions for its
payment processing services and technology innovations.The company experienced a
significant data breach in 2009 that affected millions of its clients, but since then, it has
put in place a number of measures to improve its security posture and stop similar
incidents from happening again.

The breach is estimated to have affected more than 130 million credit cards and cost
Heartland hundreds of millions of dollars in fines, settlements, and remediation costs.
This report will provide a detailed overview of the Heartland Payment Systems data
security breach, including the company or organization involved, the attack/event, how it
occurred, the technical aspects of the attack, changes implemented by the company,
and policies that should be implemented to prevent similar incidents.

Background

In the early days, Heartland Payment Systems focused on payment processing services
to small and mid-sized businesses.The business set itself apart from rivals by providing
upfront pricing, abstaining from adding any extra charges, and pledging to provide top-
notch customer service. As the business expanded, it added point-of-sale systems and
payroll processing to its list of services. Heartland Payment Systems also earned a
reputation as a pioneer in payment security by creating cutting-edge tools including end-
to-end encryption and tokenization to safeguard user information.

Company/People Involved

In 2008, a significant cyber attack targeted the payment processing company Heartland
Payment Systems, resulting in a data breach.The breach resulted in the theft of millions
of credit and debit card numbers from Heartland's systems.The individual responsible
for the attack was Albert Gonzalez, a hacker and computer criminal who was part of a
group of cybercriminals involved in several other high-profile data breaches. He was
born in Cuba and raised in the United States. Gonzalez began his criminal activities by
operating an online forum that specialized in the buying and selling of stolen credit card
information.

Gonzalez used various attacking techniques, including SQL injection attacks, packet
sniffing, and social engineering. He was responsible for several major data breaches,
including those of Heartland Payment Systems, TJX Companies, and Dave & Buster's.
He was eventually arrested by the US Secret Service in 2008 and sentenced to 20
years in federal prison in 2010 for his role in the Heartland breach and other
cybercrimes.

About the attack

In late 2008, Heartland discovered suspicious network activity and launched an

investigation, which ultimately revealed that malware had been installed on its payment
processing network. The malware was designed to capture credit card numbers and
other sensitive data as it passed through the network.

The Heartland breach was notable not only for its scale but also for the length of time
that the malware was able to remain undetected. It is believed that the attackers had
access to Heartland's systems for several months before the breach was discovered.
The incident raised concerns about the security of payment processing networks and
led to increased scrutiny of the payment card industry's data security standards.

In terms of revenue, Heartland Payment Systems had to pay approximately $145 million
in compensation for fraudulent payments. This includes a fine of almost $60 million from
Visa, a payment of about $3.5 million to American Express, and roughly $26 million in
legal fees.
 Analysis of Heartland Payment Systems stock price

Event Occurrence

The Heartland Payment Systems data breach was caused by a sophisticated SQL
injection attack that was able to exploit vulnerabilities in Heartland's payment processing
system. The attacker used a type of malicious code known as a "sniffer" to capture and
record credit card data as it was being transmitted through Heartland's network.
The specific details of the malicious code used in the Heartland attack have not been
publicly disclosed. However, it is known that the attacker used a combination of custom-
built malware and off-the-shelf hacking tools to penetrate Heartland's network and install
the sniffer software. The attacker was also able to evade detection for several months
by encrypting the captured data and transmitting it to a server outside of Heartland's
network.The malware was specifically crafted to seize credit card numbers and other
sensitive data such as customers’ names, card expiration dates, Social Security
numbers, phone numbers, and addresses as it traversed through the network.
Heartland detected the breach only after monitoring suspicious network activity,
prompting an investigation that ultimately uncovered the extent of the attack.

Technical Flaws

Several organizational issues led to the technical vulnerabilities that enabled the
Heartland security breach:

Inadequate cybersecurity measures: Heartland's insufficient cybersecurity measures

facilitated cybercriminals to exploit the network's vulnerabilities and install the malware
that allowed for the breach.

Non-compliance with data security standards: Heartland failed to comply with the
Payment Card Industry Data Security Standards (PCI DSS) at the time of the breach,
indicating that the company was not implementing sufficient measures to safeguard the
sensitive data it was processing, thus making it easier for cybercriminals to pilfer the
data.

Lack of transparency: Heartland's response to the breach was widely criticized for its
opacity. The company initially divulged only minimal information about the breach and
was slow to notify affected individuals about the potential ramifications of the breach.
This lack of transparency eroded customer trust and besmirched the company's
reputation.
 Technical Aspects

The Heartland security breach was a highly intricate attack that leveraged numerous
technical vulnerabilities within Heartland's payment processing network. The technical
aspects of the attack comprised:

Malware: The cybercriminals utilized malware to seize credit card numbers and
other sensitive data as it traversed through Heartland's payment processing
network. The malware was programmed to stay undetected on the network for as
long as possible, to maximize the amount of pilfered data.

SQL injection: The attackers are purported to have gained unauthorized access to
Heartland's systems via a SQL injection attack. This is a type of cyber attack that
targets the security vulnerabilities in web applications that are reliant on databases. The
attackers utilized the SQL injection to install the malware that facilitated the breach.

Lack of encryption: At the time of the breach, Heartland did not encrypt all of the
data it was processing. This meant that the credit card numbers and other
sensitive information that were captured by the attackers were unencrypted and
consequently more vulnerable to theft.

Failure to detect the breach: The malware that was utilized in the Heartland breach
was able to remain unnoticed on the payment processing network for several months.
This was partly due to Heartland's inadequate cybersecurity measures and its failure to
identify the abnormal network activity caused by the malware.

Preventive measures

In response to the Heartland Payment Systems security breach of 2009, the company
undertook several comprehensive and elaborate measures to secure its payment
processing network and prevent similar attacks from reoccurring. These measures
involved a range of technical and organizational solutions, including:

Achieving and maintaining PCI DSS compliance: Heartland undertook significant

efforts to comply with the Payment Card Industry Data Security Standards (PCI DSS) to
ensure that the company was taking the necessary steps to safeguard the sensitive
information that it handled. Compliance with the PCI DSS standards includes a set of
stringent security requirements for organizations that handle credit card information.

Implementing end-to-end encryption: Heartland implemented end-to-end encryption

of payment card data, which ensures that sensitive information is protected from the
moment it is captured until the time it is processed. This advanced encryption
technology significantly reduces the risk of data breaches and makes it much harder for
cybercriminals to steal credit card numbers and other sensitive information.

Adopting the EMV chip-and-PIN standard: Heartland adopted the EMV chip-and-PIN
standard for card-present transactions, which is a highly secure payment processing
method that replaces the traditional magnetic stripe on credit and debit cards with a
more sophisticated embedded chip. This helps to prevent the use of counterfeit credit
cards, which is a common tactic used by cybercriminals.

Implementing real-time monitoring: Heartland implemented real-time monitoring of its

payment processing network to detect and respond to unusual network activity and
potential cyber attacks. This included the use of advanced analytics tools and security
information and event management (SIEM) systems, which help to improve the
company's ability to detect and respond to security threats in a timely manner.

Increasing employee training: Heartland increased employee training on

cybersecurity best practices to ensure that all employees were aware of the risks and
could take steps to prevent security breaches from occurring. This included regular
security awareness training, phishing simulations, and other educational programs to
promote a culture of security awareness and preparedness.

Increasing transparency: Heartland increased transparency with customers and other

stakeholders to rebuild trust and restore its reputation after the security breach. The
company provided regular updates on its security measures and compliance with
industry standards, and it engaged in open dialogue with customers and other
stakeholders to address their concerns and answer their questions.

Overall, the comprehensive measures and interventions that Heartland implemented in

response to the security breach of 2009 demonstrate the company's commitment to
cybersecurity and its dedication to protecting the sensitive information that it handles.
These advanced security solutions and practices help to reduce the risk of future data
breaches and ensure that Heartland remains a trusted leader in the payment processing
industry.
 Policies to prevent future attacks

To secure a company or organization and prevent security breaches, several policies

should be implemented, including:
Regular security assessments: Regular assessments should be conducted to identify
vulnerabilities in the systems and networks of the company or organization, and to
address them promptly. This can be accomplished through technical assessments such
as penetration testing, vulnerability scanning, and risk assessments.

Access control policies: Strict access control policies should be implemented to

ensure that only authorized personnel have access to sensitive information and
systems. This can be achieved through authentication methods such as multi-factor
authentication, role-based access control, and least privilege access.

Data encryption: Sensitive data should be encrypted at rest and in transit to prevent
unauthorized access and protect the confidentiality and integrity of the data. This can be
achieved through encryption techniques such as Advanced Encryption Standard (AES),
Transport Layer Security (TLS), and Secure Sockets Layer (SSL).

Incident response plan: An incident response plan should be developed and

implemented that outlines the procedures to be followed in the event of a security
breach, including how to contain the breach, notify stakeholders, and recover from the
incident. This plan should be regularly tested and updated to ensure its effectiveness.

Employee training: Regular training should be provided to employees on security best

practices and how to identify and report potential security threats. This can include
training on phishing attacks, social engineering, and other common tactics used by
hackers.

A comprehensive solution to ensure compliance with security policies, secure the

company or organization, and prevent security breaches should include a combination
of administrative, technical, physical, preventive, detective, and corrective measures.
These may include:
Administrative measures: These include policies, procedures, and guidelines that
govern the organization's security posture, such as security policies, incident response
plans, access control policies, and employee training programs. These measures
should be documented and communicated to all personnel within the organization.

Technical measures: These include technical controls such as firewalls, intrusion

detection systems, encryption, and vulnerability scanning to protect the organization's
systems and data from unauthorized access and cyber threats. These measures should
be regularly updated and maintained to address new and emerging threats.

Physical measures: These include physical security controls such as security

cameras, access control systems, and security guards to protect the organization's
physical assets from theft, vandalism, and other types of damage. These measures
should be implemented based on the specific needs and risks of the organization.

Preventive measures: These include measures that are put in place to prevent
security breaches from happening in the first place, such as regular security
assessments, network segmentation, and the use of strong passwords and multi-factor
authentication. These measures should be proactive and designed to reduce the
likelihood of a security breach.

Detective measures: These include measures that are put in place to detect security
breaches that have already occurred, such as network monitoring, log analysis, and
intrusion detection systems. These measures should be designed to quickly identify
security breaches so that they can be contained and remediated.

Corrective measures: These include measures that are taken to remediate security
breaches that have occurred, such as incident response plans, data backup and
recovery procedures, and forensic investigations to determine the root cause of the
breach and prevent similar incidents from happening in the future. These measures
should be designed to minimize the impact of a security breach and prevent it from
happening again in the future.

Conclusion
This breach had far-reaching consequences for the company and its customers,
resulting in significant financial losses, reputational damage, and the implementation of
new security measures. The incident served as a wake-up call for many businesses and
highlighted the importance of robust data security measures to prevent similar incidents
in the future.
A comprehensive solution to prevent security breaches and secure a company or
organization should address all aspects of the organization's security posture and be
tailored to the specific needs and risks of the organization. By implementing a range of
measures across administrative, technical, physical, preventive, detective, and
corrective domains, organizations can create a robust security program that protects
their assets and data from unauthorized access and cyber threats.
 References

● "Heartland Payment Systems Data Breach" by the U.S. Department of Justice

● "Data Breach Investigations Report" by Verizon
(https://enterprise.verizon.com/resources/report/dbir/)
● "Homeland Security Digital Library" - Online collection of homeland security
policy and strategy related documents
● "Homeland Security: The Essentials" - Book by Jane Bullock, George Haddow,
and Damon Coppola