Given the size and sophistication of Heartland’s business–it is one of the top payment-processing companies in the United States–computer-security experts say that a standard, in-the-wild computer worm or Trojan is unlikely to be responsible for the data breach. The company itself believes that the break-in could be part of a “widespread global cyber fraud operation.” Heartland is cooperating with federal authorities.
Some computer-security professionals say that incidents of this kind have become more targeted in the past year, with attack tools often customized to specific industries, or even specific companies. Often this is accomplished by attacking weaknesses in software known to be commonly used in a particular industry sector. Another payment-processing company, RBS Worldpay, was the victim of an attack last December.
Security professionals say that a key question–perhaps even more pressing than how the attackers accessed the network–is how the breach went undetected for so long.
Heartland has promised to install a “next-generation program designed to flag network anomalies in real-time,” as part of its attempt to bolster its network against such attacks in the future. In fact, many financial and other companies already use real-time network intrusion and anomaly-detection technology. Most such tools have a couple of functions: identifying signatures of known malware, but also looking for unfamiliar patterns of network activity that may indicate unauthorized access.
Yet even the best of these systems is no magic bullet, professionals say. The weak link is often still human: employees who aren’t monitoring the system closely enough or haven’t updated the tools’ profiles to reflect network changes. “It’s not about having the best, most expensive next-generation software,” says Inno Eroraha, founder of NetSecurity, a computer-security and -forensics company. “You have to get human beings involved. If nobody’s monitoring those systems, it may already be too late.”
Credit-card payment processers such as Heartland are already bound to follow a set of security standards known as the Payment Card Industry Data Security Standard (PCI DSS), covering issues such as maintaining secure networks, protecting stored cardholder data, and keeping antivirus software up to date. Heartland was certified as PCI compliant last year, and other recent victims of break-ins, including RBS Worldpay, can make similar claims. But professionals say that the standards are evolving, as technology–and attackers–become more sophisticated. “From what we’ve seen, PCI has been effective, but it is a starting point,” says Mike Hrabik, chief technology officer of Solutionary, a computer-forensics company. “Is it where it needs to be? No.”