Heartland Payment Systems Breach - TJX Breach 2.0
Posted by Prat Moghe on Tue, Jan 20, 2009
It was announced today (Jan 20, 2008) that Heartland Payment Systems, the sixth largest payment processor in the US, had a breach in 2008 that may have resulted in the theft of over 100 Million credit cards. While there are several theories about how the attack happened, the evidence shared so far seems to indicate that this form of compromise is quite similar to the TJX incident.
Form of Attack: In this case, there was apparently malware that ended up sniffing centralized transactions within Heartland network with credit card data in the clear. At some point, presumably this malware then exported the captured information out to the thieves’ data center.
In the TJX case, there was a two-stage attack – the first stage of which used a WEP weakness to find privileged credentials and get at the unencrypted data-at-rest on RTS servers. This was then followed up by installation of malware to sniff transactions on the network.
The Heartland case has the second-stage attack – there is no information on the first stage. However, it is hard to imagine a way where the second-stage can be achieved without privileged credentials. Hopefully more data will be released when this incident makes it to court. With TJX, it took more than a year to get these details out so it is best to be patient.
Form of Detection: Another similarity to TJX - I am sure we will keep getting asked the same question again - what’s a way to detect these attacks in real-time? My suggestion - Combination of DAM (data activity monitoring- to detect data-at-rest attacks and unencrypted data access) and DLP/NBAD (data leakage prevention/network behavioral anomaly detection - to detect large outbound flows) are reasonable ways to detect these attacks in real-time.