What’s the worst thing that could happen in a data breach? If you said millions of dollars in losses, a business forced to go on hiatus, scores of compliance violations and tons of bad press, then you might have worked at Heartland Payment Systems back in 2008.(Although the breaches took place over several months in 2008, the company did not go public with the findings until January 2009.)
The Fortune 1000 company, which specializes in payment, point-of-sale and payroll systems, suffered one of the worst data breaches in history. Here’s a quick recap of the breach:
The company was first notified by Visa and MasterCard in October 2008 about suspicious transactions stemming from accounts Heartland processed. Suspecting a cyber attack, Heartland hired cybersecurity forensics experts to investigate the issue. It took more than two months to unravel the mystery.
Computers used to process payment transactions had been compromised by an SQL injection attack in 2007. The attack modified the code on a web script, giving attackers access to a web login page. The attack, undetected for months as it moved through Heartlands' system, found enough data to create new physical credit cards, including the data coded into the card’s magnetic strip.
In 2009, Albert Gonzalez (later sentenced to 20 years) and two partners in crime were indicted for the attack. But the damage was done. Heartland lost its PCI DSS compliance for four months and lost hundreds of customers. The total monetary loss to the company, including compensating victims, was more than $200 million. Heartland's stock price fell 50% within days of announcing the breach, sinking more than 77% in the ensuing months. It was by far the most damaging publicly reported cyber attack at the time.
Here are a few lessons we can all learn from the attack.
Even though Heartland discovered the breach in late 2008, one of its early priorities was disclosing the breach to the public in the right way. It waited until authorities had finished their initial assessment. The announcement fell on President Barak Obama’s Inauguration Day, January 20, 2009 – causing critics to accuse the company of trying to bury the news.
Public disclosure isn't easy and usually results in damage. But in the end notifying your customers and keeping them updated in an honest and transparent way is the best way to limit the damage and avoid a total loss of public opinion. It's also a legal requirement. Organizations now must disclose breaches to the public within 30 days after they're discovered.
Once your breach is discovered, you need to act quickly to contain the breach and close any potential security flaws that could lead to more attacks. After their leak, Heartland initiated a plan to encrypt card data at the point that it’s swiped so it isn’t as vulnerable when moving over networks.
Make sure all third-party systems are secure, not just high-profile servers
Most companies focus on their most critical servers when considering IT security. But attackers don’t care whether they get in through a critical security server or one that controls your HVAC. In attacks, all third parties ARE created equal. Even if an outside vendor or partner manages a less critical system, make sure it's secured.
Don't confuse compliant with secure
At the time of the breach, Heartland was PCI DSS compliant. Unfortunately, too many companies feel that the bare minimum compliant software is enough to keep them secure. Regulations such as PCI can’t cover every business' specific needs. Although compliance and security frameworks can help, evaluate your own IT security needs, not just general guidelines.
Remember that firewalls are not a failsafe
As Heartland showed, firewalls become essentially useless once a user gets inside them. In today's business environment, people are the new perimeter. Gonzalez got into their system and was able to spend as much time as he needed undetected because Heartland put too much faith in their outer level security.
Even though this breach happened over six years ago, the lessons Heartland learned can still be applied to any business. Adapt to the new threats facing companies today and take a people-centric approach to cybersecurity to become truly secure—and be honest with the public when things go wrong.
Read about our last Throwback Thursday blog post called, “Throwback Thursday: Firstsource Data Breach Leaves Workers Suspended.”
Subscribe to the Proofpoint Blog