Just Three People Accused Over Heartland Breach, and Others
It can be amazing sometimes how inter-related many Information Security events can be, especially when they are important enough to make the news individually. Major credit card data thefts in the last couple of years from Heartland, 7-Eleven, TJ Maxx, and others all made news in their own right, but now one individual is being charged in relation to all of the cases, with up to 130 million different card details having been compromised across all of the various companies and businesses that the accused broke into.
Using SQL-injections in at least some of the cases, the accused and two unnamed co-accused were able to extract the information and make plans to sell the data for other fraudulent use. The use of a well-known and understood technique, not to mention one that can be defended against, speaks volumes about the inherent state of data security within the organisations that were breached. Those responsible for managing data in other businesses should look at these cases as a warning about what can happen when things go wrong, and take steps to mitigate that risk.
Companies that are moving to using external services for managing and storing their payment and privacy related data need to be certain of the level of services being provided and not merely assume that it will be fine. In some cases, moving data to external services can make it difficult or impossible to maintain at the same standard of protection that it would have been at if kept internally.
Facing up to 20 years jail time for fraud and another five years for conspiracy, it would make for a serious punishment, which not many would argue is over the top. A concern is that the accused was at one stage an informant for the US Secret Service, providing technical expertise for tracking other hackers and was previously involved with the carder group Shadowcrew. It wouldn't be the first time that authorities have misjudged the capabilities and motivation of the people they are working with and ultimately up against.
Court dates for the suite of charges won't be until 2010, and by then we all may get to find out the identities of the still-unnamed major retailers that were also attacked and compromised as part of the spate of attacks. Whoever they are, they are seemingly in violation of breach reporting rules and it, too, will be worth watching to see the reasoning given for not notifying customers in a reasonable or even regulated timeframe. There isn't anything that can be gained from this information being kept secret, so it needs to be something incredible for this information to have been suppressed for so long.
It is going to be some time until a major sequence of attacks such as these can be tied back to an individual or a small group of attackers but there are massive botnets where the authors remain unknown that would likely challenge for scope of overall breach, but not for media notoriety prior to arrest.
19 August 2009
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.