Heartland issues breach notification letters after computer theft

In a letter to the California Attorney General, Heartland Payment Systems has disclosed a data breach impacting personal information. The letter states that the data exposure is the result of a break-in at one of their offices, which included stolen computers.

The notification letter says that the theft took place at Heartland’s Santa Ana, California offices on May 8. The incident involved the theft of many items including password protected computers that might have contained Social Security Numbers and / or banking information that is processed by employers.

“We have seen no evidence suggesting that the data has been accessed on the stolen computers or used in any way, and we have no reason to believe any such use will occur. We have involved state and federal regulatory and law enforcement agencies to assist us in determining how to proceed with the matter at hand,” the notification letter states.

In 2008 Heartland was the victim of one of the world’s first major data breaches that exposed 130 million U.S. credit and debit cards.

As a result, the company was the poster child for what happens when security fails for many years. Yet, since that time the company has made serious strides towards improving not only their own security posture, but the posture of their customers as well. They’ll even pay the breach costs accrued by a customer if their products fail.

But the fact that the letter makes no mention of encryption is concerning. This leads one to assume that password protection is the only layer of defense on the systems, which is a problem because the thieves have physical access to the data.

It’s possible that the letter is intentionally vague, offering just the basics to those impacted in order to avoid confusion. It’s also possible the incident was a snatch and grab type of theft, and the goal was to sell the stolen hardware on the streets – but that still leaves the unencrypted data at risk.

Nevertheless, Salted Hash has reached out to Heartland for clarification, and we’ll update this story should they respond.

“When physical security controls are not adequately maintained alongside technical security controls, the opportunity for a data breach greatly increases. Implementation of local encryption in addition to ensuring physical security policies require robust controls around machines housing PII would have been two good mitigation strategies that could have been implemented in this case,” said Stewart Draper, director of insider threat at Securonix in a statement.

“The potential for identity theft rises tremendously is cases of payroll theft because many of the many pieces of sensitive data that are obtained and cannot be changed as easily as a credit card number can. Protecting your data where it resides (physical and technical) is essential since your security defenses are only as strong as your weakest point.”

Physical security is often forgotten when it comes to protection planning, as an organization’s investment dollars are usually spent on endpoint and network defenses.

“Although many companies invest heavily in their security programs, particularly after a breach, to help secure their networks from remote hackers, many of the security controls they implement go out the window once a device is stolen,” added Ken Westin, senior security analyst for Tripwire.

“In my experience working with law enforcement on several cases where systems were stolen from offices, systems such as servers and desktops are unfortunately often left unencrypted, with a belief that they are secure as they do not leave the building.”

Heartland is offering one year of credit monitoring from Kroll to those affected by the incident.

Update:

Heartland has issued an official statement with additional details. According to the press release, the office that had the theft was a former Ovation Payroll location and was in the process of being fully integrated into Heartland’s information and physical security systems. Based on the statement’s wording, the data on the stolen systems was not encrypted, as they had not been fully merged with existing processes.

“Among the items stolen were TVs, LCD panels and 11 password-protected desktop computers. Of these 11 computers, Heartland suspects that four computers contained personally identifiable information (PII),” the statement goes on to say.

“The four computers were not connected to any other Heartland office, business, system or server, but may have contained PII on some of the individuals serviced from that payroll office. Heartland has notified local, state and federal authorities and has also personally alerted approximately 2,200 individuals that their personal information may have been affected by the burglary.

“As part of our ongoing commitment to security, Heartland has already encrypted most computers, and as we integrate acquisitions, Heartland is actively working to encrypt any remaining computers in every office that may have access to, or house, PII or payment data.”