By Bill Brenner
August 12, 2009
For Heartland Payment Systems Inc. CEO Robert Carr, the year did not
start off well, to say the least.
In January, the Princeton, N.J.-based provider of credit and debit
processing, payment and check management services was forced to
acknowledge it had been the target of a data breach -- in hindsight,
possibly the largest to date with 100 million credit and debit cards
exposed to fraud.
In the following Q&A, Carr opens up about his company's data security
breach. He explains how, in his opinion, PCI compliance auditors failed
the company, how informing customers of the breach before the media had
a chance to was the best response, and how other companies can avoid the
pain Heartland has experienced.
Take us back to the moment you were told a breach may have happened.
What was your first thought?
Carr: "It was a Monday night in January, just after dinner, when I was
told data files were found on our servers that were not created by
Heartland. That was a clear sign of trouble. It was a sleepless night.
The question people always ask is what keeps me awake at night. Well,
this is it."
What have you learned in recent months regarding how exactly the
burglars were able to get in? What have investigators flagged in terms
of the big security holes that were exploited?
Carr: "The audits done by our QSAs (Qualified Security Assessors) were
of no value whatsoever. To the extent that they were telling us we were
secure beforehand, that we were PCI compliant, was a major problem. The
QSAs in our shop didn't even know this was a common attack vector being
used against other companies. We learned that 300 other companies had
been attacked by the same malware. I thought, 'You've got to be kidding
me.' That people would know the exact attack vector and not tell major
players in the industry is unthinkable to me. I still can't reconcile
Subscribe to InfoSec News