For the past few weeks, some of us have been in communication about reports about a second big processor breach. The good folks over at Open Security Foundation (OSF) went public on February 13 that they were getting multiple tips about the breach. This site was also hearing some of the same reports (perhaps from some of the same sources), but we were all pretty much stuck without actual confirmation that we could cite. Unlike the Heartland breach where we started finding banks in disparate areas reporting breaches, we simply weren’t finding anything yet on the more recent breach.
On Saturday, I was able to locate independent confirmation of the breach. I started posting the notices that I had uncovered, and alerted OSF’s Dave Shettler and other interested parties. The following day, Dave blogged more about the second breach. By Monday, mainstream media had picked up the story and the rumor mills as to the source of the breach kicked into high gear in some quarters.
Thanks to a more recent credit union notice that Jai Vijayan of Computerworld uncovered from the Alabama Credit Union, we now know that this is not just credit cards that have been affected, but that the breach also appears to involve “long lists” of compromised ATM/debit cards. Visa and MasterCard remain mute about the source of the breach, although once the confirmation was found, Visa confirmed to Computerworld that a processior “experienced a compromise of payment card account information from its systems,” and MasterCard’s statement referred to the processor as being in the U.S.
So far neither this site nor OSF has speculated publicly about who the unnamed processor might be, other than to indicate that all signs point to it being a large processor. The recent revelation that the breach also involved ATM/Debit cards and not just card-not-present fraud changes the pool of possible candidate processors.
Whatever happens, it is clear that hackers have figured out how to successfully gain access to tremendous databases of usable data. Following the Heartland breach, Heartland indicated that it was reaching out to others in the industry to promote better sharing of information and end-to-end encryption to prevent problems. But the question remains: how did hackers gain access to the internal network and evade detection for so long? Earlier today, Breach released its annual report, Web Hacking Incidents Database 2008, noting how little we know because of failures to disclose more information that would enable people to prevent problems:
Resistant to Public Disclosure – Most organizations are reluctant to publicly disclose the details of the compromise for fear of public perception and possible impact to customer confidence or competitive advantage.
In many cases we feel that this lack of disclosure, apart from skewing statistics, prevents fixing the root cause of the problem. This is most noticeable in malware-planting incidents, in which the focus of the remediation process is removing the malware from the site rather than fixing the vulnerabilities that enabled attackers to gain access in the first place.
Hopefully, Heartland is sharing specific information with other processors so that they can bring in forensic experts to review their systems to determine if they, too, may have been breached without it ever being detected. But as one bank security expert reminded me recently, end-to-end encryption doesn’t prevent intrusion and assuming that entities are, indeed, compliant with PCI-DSS, the standards probably need revision. Heartland’s compliance with PCI-DSS standards is currently under review.
In the meantime, this site will not speculate on who the “Unnamed Processor” might be, although I have been informed that one of the entities whose name has been suggested on other web sites or in other media coverage has flatly denied being breached. It is also not clear to me (yet) whether this unnamed processor breach is related to another series of fraud reports I have started investigating or whether those reports represent yet another processor breach that was never reported in the mainstream media or to the public. It’s getting so that I need a scorecard to keep the breaches straight, and that’s not good. And my real fear is that most processors have already been breached but just haven’t detected it out yet.