By Rick Ricker
VP, Enterprise Payment Solutions
3Delta Systems, Inc.
Part 2 of a 2-part series
Today’s businesses are magnets for criminals trying to hijack, steal or destroy personally identifiable information, medical records and credit card numbers. The increasing frequency and severity of data breaches proves these cyber thieves are highly motivated and sophisticated, knowing exactly where and what to target.
Sometimes, the bad guys get caught.
Bringing Cyber Criminals to Justice
U.S. authorities handed down indictments recently in a massive hacking case that’s being described as the largest data security breach scheme prosecuted in American history.
This hacking spree, which spans more than seven years and has led to hundreds of millions of dollars in corporate losses, reveals how persistent and brazen criminals have become in exposing weaknesses of computer network defenses – and why infosec executives and administrators must stay vigilant in monitoring system intrusions and apply the best tools and attack countermeasures to prevent similar breaches at their companies.
On July 25, New Jersey’s U.S. Attorney Paul Fishman filed criminal charges against five hackers – four in Russia and one in the Ukraine – who infiltrated the computer systems of 16 major American and multinational corporations to steal credit- and debit-card information, login credentials and confidential personal data. The resulting breaches cost “hundreds of millions” in losses, including more than $300 million by just three of the corporate victims.
Federal prosecutors accused the hackers of stealing more than 160 million credit- and debit-card numbers between August 2005 and July 2012 from some of the world’s biggest retailers, payment processors and financial institutions. Other companies had passwords, user names and valuable personal information compromised. According to prosecutors, the 160 million stolen card numbers represent a conservative estimate because the hackers allegedly had access to the computer networks of many victims for more than a year.
Credit- and debit-card processors were among the hardest hit, including Heartland Payment Systems Inc., Global Payments Inc.; Ingenicard US, Inc.; Euronet and European payment processor Commidea Ltd.
The Heartland breach, which made headlines all over the world in 2009 because of its massive size, was traced to malware the hackers had secretly embedded on the company’s network in late 2007, which led to the theft of more than 130 million credit card account numbers.
According to the federal indictments, the hackers gained entry to Heartland’s computer systems using programming code known as a “SQL injection attack,” or Structured Query Language, which probes for vulnerabilities in certain types of databases stored on a computer network. Once inside Heartland’s system, the hackers infected the network with malware to give themselves “back door” access.
This malware went undetected for months, even though Heartland maintained it was in compliance with security controls required by the Payment Card Industry Data Security Standard (PCI DSS) for all businesses that handle sensitive credit card information. Ultimately, Heartland suffered a loss of approximately $200 million in breach-related costs.
Atlanta-based Global Payments Inc. acknowledged in March 2012 that its card processing network had also been penetrated, although federal prosecutors claim the attacks began as early as January 2011.
Like Heartland’s breach, the attack on Global Payments’ computer network involved a SQL injection that installed malware on the processor's computer network and payments processing system. The federal indictments allege more than 950,000 card numbers were stolen, although Global Payments reported earlier this year that 1.5 million U.S. debit and credit cards had been compromised. According to the indictments, this breach cost Global Payments approximately $93 million, but company executives said during a recent call with investors that the estimated total would come closer to $95 million.
Financial institutions weren’t spared by the hackers, either. They targeted the NASDAQ electronic stock exchange, Visa Jordan Card Services, Diners Club Singapore, the Dexia Bank of Belgium and “Bank A” of the United Arab Emirates.
JetBlue Airways and Dow Jones were also breached. So were major retailers such as JCPenney, Inc.; convenience store chain 7-Eleven, Inc.; Hannaford Brothers Co. supermarkets based in New England; Wet Seal, Inc. apparel stores; and French multinational retailer Carrefour, S.A.
According to the indictments, the stolen credit cards and associated data were sold on the black market, where U.S. cards fetched $10 each, Canadian cards went for $15 and European versions that use more secure chip-and-pin EMV technology sold for $50 apiece. Discount pricing was giving to bulk and repeat “customers.” Ultimately, the end users encoded each card “dump” onto the magnetic strip of a blank plastic card and cashed out the stolen cards’ value by either withdrawing money from ATMs or making purchases with the cards.
So far, two of the hackers have been arrested, with one in federal custody and the other awaiting an extradition hearing in the Netherlands. The other three remain fugitives.
The federal indictments also named Albert Gonzalez, who is currently serving 20 years in prison for his role in the Heartland and Hannaford breaches, among the co-conspirators.
How to Protect Your Company
Data breaches like these pose a real security threat to every business that handles credit card or other types of payment transactions for their customers.
The fallout from a data breach also equates to lost sales and revenue for a company plus lawsuits, damage to its brand and reputation, customer loss, and stiff fines for not complying with PCI DSS requirements.
Yet, to be PCI compliant for securely storing card numbers and associated data, merchants have two choices:
- Build and maintain a secure IT infrastructure themselves (which can be difficult and expensive, since every touch point where data is handled must be secured)
- Outsource to a highly secure, cost-effective and customer-focused partner like 3Delta Systems – a pioneer of credit card tokenization for business-to-business (B2B) companies
3Delta Systems’ CardVault® enables either standalone tokenization or tokenization integrated with credit card processing. Both options let businesses easily accept and process customer card payments while eliminating the risk of storing their sensitive card information on internal systems, thereby protecting data from hackers, promoting faster and easier PCI compliance and cutting costs.
To learn more about CardVault, we’ve made these free resources available for download:
- At-a-glance outline of CardVault’s features and benefits
- Whitepaper: Stopping Data Cyberthieves In Their Tracks
- Data sheet: How CardVault works
- Tip sheet: Top 10 Best Practices for Fighting Credit Card Theft and Fraud
For a free consultation about how CardVault can help your business safeguard its payment data, give us a call at (703) 234-6010 or drop us a line at mailto:firstname.lastname@example.org.
Click here to read Part I: Is Your Enterprise a Sitting Duck?