- The size of the breach the subsequent weight of the breach warrant it being deemed and considered 'important' especially given the nature of the data and the business in which Heartland is involved
- The nature of the alleged perpetrators warrant it being deemed important as this further undscores what many in the information security research community have been asserting for quite sometime; that the motive for enterprise / system compromise has changed and so to have the players involved (a 'global cyber fraud operation')
I am not surprised by the fact that breach occurred. I am suprised that in the age of regulation & compliance (especially in the financial industry), that accurate measures were not taken to ensure the risk posture prior said breach occured. It is, of course, speculation on our part to assume that said measures were not undertaken (PCI DSS 2.0 anyone?), however in light of the breach the logical conclusion is that either the measures leveraged were insufficient (good enough security simply not being good enough) or that the level of sophistication associated with the exploit superceded the mitigative solutions in place within the enterprise be they located on the host or within the enterprise. Just who and what this 'global cyber fraud operation' is has yet to be determined and / or disclosed but regardless of who they are it is important to note that their activity was not indiscriminate and their potential to profit from the compromise was worth the risk associated with their potential apprehension. Regardless of what occurred, the end result is that Heartland, a well respected entity in its industry has reported a breach. According to Robert H.B. Baldwin Jr, Heartland's president and CFO, they believe the breach is contained and are co-operating with the US Secret Service and Department of Justice. Heartland asserts that, no merchant data or cardholder Social Security Numbers, unencryped personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. This is a good thing however only time and due diligence (along with the contracted services of forensics experts), will tell tale in the end. Additionally it is assumed that non of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms. Heartland immediately took a number of steps to further secure its systems. In addition, Heartland will implement a next-generation program designed to flag network anomalies in real-time and enable law enforcement to expeditiously apprehend cyber criminals.
Heartland's breach is of course not unique but should serve as a reminder that 'good enough' security is often not simply 'good enough' and that there is no subsitute for a defense in depth strategy executed against a well articulated and exhaustively tested risk based framework.