What is more interesting however, are the sketchy details that we have about what actually happened.
The supposed facts according to Heartland (per Brian Kreb's article)
- Heartland does "not know" how long the breach has been taking place.
- The company processes 100 Million transactions per month.
- Malware was involved.
- Data was being sniffed.
- The company is claiming that full track data was not compromised.
There have been alot of suggestions that this was an "inside job," but I am skeptical. It is unlikely an employee of the organization wrote the perfect custom malware solution to rip the company off, and established a relationship with some overseas criminal mastermind to offload hundreds of millions of card numbers.
I think that more likely, someone at Heartland didn't set up host-based security properly in addition to the perimeter being soft, and the systems in question didn't get included as part of the PCI sample set, so noone caught it.
Furthermore, the data obviously wasn't being encrypted in transit - by Heartland's own admittance -it was grabbed off the wire.
In as far as the malware is concerned, File Integrity Monitoring (required by PCI) should have caught this. Also, the required IDS/IPS solution should have seen a bunch of weird stuff going out over the wire.
What will the overall 'lesson learned' from this breach be?
My prediction: Data Loss Prevention products are going to be required at ingress/egress points on the cardholder environment. Another prediction: This will be released as a clarification / addendum before the next dot release of the DSS (1.3).
No comments:
Post a Comment