Largest Data Breach
It looks like Heartland Payment Systems is the latest victim of a data breach, although it might be more accurate to say that both they and their customers are the victims. In this case, hackers appear to have sniffed transactions with the Heartland system, all of which were unencrypted. Heartland's CEO has been quoted as explaining that they need to have the transaction data unencrypted to process it. Here's a summary of what's known so far:
- Heartland Payment Systems processes payroll and credit card payments for more than 250,000 businesses
- They reported that they discovered an intrusion last week that exposed consumer credit card data last year
- They were alerted to suspicious activity in processing Visa and MasterCard transactions—auditors then discovered malware that had compromised the company’s data
- Company spokesperson says they “understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice"
This incident highlights the fact that achieving PCI compliance does not imply that a business has achieved real security. For example, PCI does not currently require that credit card data be encrypted as it is moved between machines on a corporate network, which is highly likely where this breach occurred. This incident should serve as a wake-up call that PCI should be used as a starting point instead of an end point in the effort to protect sensitive data.
Robust encryption technologies and innovative solutions that leverage them exist today that could have prevented this breach altogether. In fact, best-in-class businesses are currently implementing software that can address these types of attacks. However, Heartland appears to be an example of an organization which assumed that simply passing its PCI audit meant that it was truly secure.
Why were they targeted? Data can now be easily monetized, creating demand for criminal data theft, and increasingly, multi-tiered networks of organized hackers have replaced bored teenagers as the perpetrators of computer attacks. TJX, Hannaford, RBS Worldpay and now Heartland are just a few of the organizations that have fallen prey to orchestrated offensives. The perpetrators here are likely multi-tiered networks of hackers and social engineering manipulators who can gather and auction bulk data to the perpetrators of credit card fraud. This attack could potentially have been enabled or even initiated by an insider, even though Heartland says in this case it was not.
How can organizations reduce this type of risk? Most processors – even if PCI compliant – currently have, as standard practice, sections of their network where data is not encrypted or in the clear in order to communicate with the upstream clearinghouses and card companies (e.g. Visa, Mastercard, American Express). These gaps create excellent attack points for hackers, as data is fully exposed.The only solution to eliminate this threat is end-to-end encryption. New techniques such as Format-Preserving Encryption (FPE) and Identity-Based Encryption (IBE) allow organizations to encrypt information at the point of capture, and data is persistently protected all the way to the trusted clearinghouse. No air gaps, no exposure. Even if a hacker gains access to an intermediary system, no actual data can be stolen.
It's certainly true that many encryption technologies don't protect data as it moves through a network. Database encryption, for example, may protect data while it's in a database, but doesn't do anything for the data once it leaves the database. Even SSL doesn't protect data all the time. SSL may protect data while it's moving, but after it's moved, the sensitive data then typically sits on a server somewhere, where's the protection provided by SSL is gone.
Some encryption technologies, however, do indeed provide the capability to protect data no matter where it goes. Format-Preserving Encryption(FPE), the new mode of AES that's been submitted to NIST, lets you do this. Data encrypted with FPE has the very same format as unencrypted data. A 16-digit number gets encrypted to another 16-digit number, for example. If you use FPE to encrypt sensitive information, it's easy to keep the protection provided by the encryption, even as the encrypted information moves through a network.
Other ways to encrypt sensitive information may cause problems, particularly in legacy environments. In these, there's often a system somewhere that won't be able to handle encrypted information because it's format is different than the unencrypted information that it's expecting. If you encrypt a 16-digit credit card number, for example, and the encrypted credit card number may be longer than 16 characters or may be no longer just digits, This means that many legacy systems will be unable to handle encrypted information gracefully. On the other hand, if the format of the data is unchanged by encryption, then even the most complicated legacy systems will be able to easily handle it.
This is exactly what FPE does, which means that if you use FPE to protect sensitive information then there's absolutely no problem with keeping sensitive information encrypted at all times. If that's the case, all a hacker can get by sniffing a network is encrypted information, which is totally useless to him.