Heartland Payment Systems spent about $32 million in the first six months of this year on forensics, and legal work related to the December 2007 database breach, CEO Robert Carr told a U.S. Senate committee this week.
Paul Demery , Managing Editor, B2B E-commerce
Heartland Payment Systems Inc. spent about $32 million in the first six months of this year on forensics, legal work and other activities related to the December 2007 database breach that resulted in the theft of millions of credit and debit card numbers, CEO Robert Carr told the U.S. Senate Committee on Homeland Security and Government affairs this week.
In his testimony, Carr also called for better cooperation between the financial industry and the government, including the sharing of information on security threats, to protect data from cyber criminals. As part of an effort to share such information, Heartland pushed for formation of a committee-the Payments Processing Information Sharing Council-within the Financial Services Information Sharing and Analysis Center to share information about fraud, threats, vulnerabilities and risk mitigation practices, he said.
“At the PPISC, I shared with the payment industry members the malware which we discovered had been used to victimize Heartland,” Carr said. “I believe that by sharing this with others, including our industry competitors, we can better respond to organized attackers.”
In the December 2007 attack, hackers used so-called SQL injection strings to break into a merchant-facing payroll page, placing malware into Heartland’s corporate system. The malware eventually worked its way into the payment processing system, enabling criminals to access unencrypted in-transit payment card data during the transaction and authorization process, Carr said.
Carr again made a pitch for end-to-end encryption, which he said is the only way to prevent criminals from using stolen data. Heartland is in the process of developing a technology called E3 that encrypts data at the point of sale and keeps it encrypted until it reaches the payment card settlement and authorization networks.
“We are working with various suppliers of the technology to make E3 a reality and more ubiquitous,” Carr said. “We are hopeful that these efforts will minimize the costs to merchants while not inconveniencing cardholders and yield a payment processing system that is more secure.”
Heartland this week also launched E3secure.com, an educational web site about end-to-end encryption technology and the E3 solution.