Heartland Self-Inflicts More Data Breach Injuries

Heartland Payment Systems again finds itself in the glaring light of a data breach probe, but this time, the injuries are almost entirely self-inflicted. The incident in question is the Austin, Texas, data breach of several hundred payment cards from a four-location Greek cafeteria—which one Austin detective said crafts a terrific baklava—that happens to use Heartland as its processor.

A preliminary investigation by the Austin Police Department Financial Crimes Unit—which knows its way around credit card theft—ruled out a skimming attack against Tinos Greek Café. That placed the attention on a database of the cards used at Tinos, either in Tinos computers (just PCs) or at Heartland, said Sgt. Matthew Greer of that financial crimes unit.

When Greer was quoted—and possibly misquoted—at a local television station saying the fault was definitely at Heartland, the company decided to issue a statement defending itself. Although the media relations advice on doing so is mixed—does the processor risk thrusting more attention on the negative story? Is ignoring it a better choice?—Heartland was fully within its rights to do so.

But the problems cropped up because Heartland went beyond a statement that said something like "We have no knowledge of a breach at Heartland, but we await the completion of forensic investigations to know for certain" and ventured into comments that range from misleading to irrelevant and possibly even reckless.

Heartland's statement said two things that were problematic. First, it opened with this: "Heartland Payment Systems has confirmed with the United States Secret Service that it is not a target in the investigation of data theft at one Austin, Texas-area restaurant."

There's no way to interpret that other than to say it was an attempt to imply that the Secret Service had investigated this matter and concluded Heartland was not at fault. In actual fact, the Secret Service has not investigated this matter yet, nor has Visa, MasterCard, Tinos or even Heartland. The phrase "not a target of the investigation" is horribly misleading.

It has nothing whatsoever to do with assigning the fault for a data breach. It's a federal term for a criminal investigation. In the TJX breach, which the Secret Service did thoroughly investigate, TJX was never the target. Albert Gonzalez and his crew were the targets. So to say that Heartland was not a target of an investigation that hasn't even started is stupendously misleading.

To be explicit, the federal enforcement use of "target" is applicable to a federal criminal probe. Even if—for the sake of argument—the Secret Service knew for a fact that Heartland had been reckless and careless and irresponsible with the payment card data, Heartland still couldn't have possibly been a target because reckless handling of payment card data is not illegal in this country, nor any state nor municipality. (Whether a federal law should be passed making such conduct illegal is another story.)

But the next part of the statement gets even more fact-deprived. Heartland CIO Steve Elefant issued a quote that said: "The intrusion likely occurred in the third-party point-of-sale system used at the merchant location or as a result of other fraud. The Heartland system has not been compromised in any way.”

This is the sad part. If Heartland had simply waited for the results of various full-fledged probes—assuming they're ever launched—it might have been able to say those things accurately. But the company issued that statement on August 13, long before the computers at Tinos had even been examined by anyone. (As of August 18, they had still yet to be examined, according to the owner of Tinos.) Stating as fact that Heartland "has not been compromised in any way" before any investigation has begun seems reckless.

Elefant defended the phrasing. "I don't think it's premature at all," he said, because "we have people who monitor this 24 hours a day" and Heartland would have seen activity had it been breached directly. In other words, Elefant said, because fraudulent activity was only identified with Tinos, that's where the breach must have been.

It's a very fair point. But it's one that would support a statement saying, "Heartland has no reason to believe it was breached." And that statement is very different from a declaration saying the company wasn't "compromised in any way."

Payment card processing is a confidence game. No, not in the con-man sense (well, not usually) but in needing to engender a strong emotional sense of confidence. And unnecessarily over-reaching in statements involving breaches—especially when Heartland is in the history books as housing one of the worst data breaches in payment card history—is certainly asking for trouble.

Let's look a bit more closely at what seems to have happened with Tinos. Tinos owner Jeff Nouri said he first learned of the breach on August 8 when customers started calling the restaurant to complain of false charges on their cards. Nouri said he believes his restaurants have not been storing any payment card data in their systems; rather, that data was sent directly to Heartland. But, Nouri added, he was awaiting a forensic analysis of his computers to be certain.

Nouri said he took comfort in the fact that customers swipe their cards at the POS—which uses ValuePOS software—and that his employees never have access to the card for more than a few seconds. Greer, of Austin PD's financial crimes unit, said he was confident the police investigation had ruled out a skimmer accessing the cards as they were swiped.

Greer said he ruled out a skimmer because of the locations where the stolen numbers were used (Europe, South America and Asia) and the multi-week and sometimes multi-month delay between time of theft and time of use. The typical pattern with skimming, he said, is usage within 100 miles of the victim and rapid usage. "We would have seen a lot more cards showing up in the Austin area and a lot quicker" had it been a skimmer, Greer said.

Heartland's Elefant disputed this pattern and said he has often seen skimmed attacks resulting in faraway charges that may not materialize for an extended period of time. (We're inclined to agree with Elefant on that one. Skimming fraud patterns tend to be all over the map.)