Could 5-Year-Old Bank Rules Have Prevented The Heartland Breach?

A financial blog is raising a fascinating question, asking if banking security rules from 2004 might have prevented the Heartland data breach, where cyber thieves hid a sniffer program in an unallocated portion of a Heartland transaction server.

The financial blog quoted a well-placed security consultant, who apparently had direct knowledge of one of the Heartland probes, saying: "This was an 'I told you so' moment for me. I know exactly which part of the process got hit. It was the un-encrypted Point-to-Point connection, which occurs between the Host Security Module (HSM) and the Application Security Module (ASM). But that means that they had to have had a hole in their firewall to insert the sniffer into unallocated disk space."

The blog posting goes on to say that banking rules from four to five years ago might have helped. "Now Heartland is crying poor me and making it sound like they are heroes by claiming that they are going to 'develop' end to end encryption. They should have been using the ISO Banking Security Standards, which were promulgated in 2004/2005. They should be expected to uphold the standard," the site quoted their security expert as saying.

The site, run by Anthony Freed, also raises SEC questions about some stock trades performed by Heartland CEO Robert Carr. This appears to be much more thinly sourced and it comes down to whether Carr knew about the breach months earlier than the company has said. Given that the probe apparently started with Visa and MasterCard notifications, it would seem the timing is well documented, unless Heartland's entire breach timeline is bogus, which seems highly unlikely.

Also, given the financial turmoil that was extremely well known this summer—especially to an executive of a payment card processing firm—there are plenty of non-nefarious reasons why an exec in that space at that time would be selling stock. But Freed appears to have documented his theory well, so it's worth noting.