We All Have Lessons to Learn From the Heartland Data Breach - Whether Board Member, Executive, or Professional

On January 20 of this year, Heartland Payment Systems reported that it suffered a data breach in 2008 — identified not by the company but by Visa and MasterCard’s monitoring programs. This was very significant because Heartland processes more than 100 million card transactions per month for about 250,000 customers.

Unnamed individuals had apparently placed malicious software on their servers with the intent to steal credit card information. Heartland asserted no merchant data, cardholders' Social Security numbers, or unencrypted personal identification numbers, addresses, or telephone numbers were compromised. It is also important for all of us because, according to their CEO, Heartland had received a passing grade on their Payment Card Industry (PCI) compliance and was relying on that external audit.

Board members, executives, IT security professionals, risk officers, compliance officers, and internal auditors should understand what happened, and there are valuable lessons to be learned.

Computerworld quoted Avivah Litan, an analyst at Gartner Inc.:

Given that Heartland processes more than 100 million card transactions per month, it is very possible that the number of compromised credit and debit cards is at least that much, if not more. ‘It does look like the biggest ever,’ Litan said. ... More radical security moves need to be taken by [the] payments industry as a whole to address the problem, she added. Such incidents show that the security requirements of the Payment Card Industry Data Security Standard being pushed by the major card companies [are] clearly not enough.”

In August, Heartland’s CEO, Robert Carr, responded to a Q&A from CSO Online. He explained how, in his opinion, PCI compliance auditors failed the company. He said:
The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can't reconcile that.
In the post-Enron environment, the auditors have contracts with clients that essentially absolve them of gross negligence. The false reports we got for 6 years, we have no recourse. No grounds for litigation. That was a stunning thing to learn. In fairness to QSAs, their job is very difficult, but up until this point, we certainly didn’t understand the limitations of PCI and the entire assessment process. PCI compliance doesn’t mean secure. We and others were declared PCI compliant shortly before the intrusions.

A number of IT governance and security experts responded to the blaming of PCI auditors. Rich Mogull responded in an open letter, posted in his Securosis.com blog. Here are some excerpts:

“I completely agree that the current system of standards and audits contained in the Payment Card Industry Data Security Standard is flawed and unreliable as a breach-prevention mechanism. That said, your attempts to place the blame of your security breach on your QSAs, your external auditors, are disingenuous at best.
“As the CEO of a large public company you clearly understand the role of audits, assessments, and auditors. You are also fundamentally familiar with the concepts of enterprise risk management and your fiduciary responsibility as an officer of your company. Your attempts to shift responsibility to your QSA are the accounting equivalent of blaming your external auditor for failing to prevent the hijacking of an armored car.
“The role of your QSA is to assure your compliance with the standard, not secure your organization from attack. Their role isn’t even to assess your security defenses overall, but to make sure you meet the minimum standards of PCI.”

I don’t have any insider or special knowledge of the Heartland incident, but there are a number of important lessons that can be made learned by reflecting on the assertions by Carr and Mogull:

1. Boards and executives should understand what work is being done before placing reliance on it. Assurance providers should ensure their customers understand what assurance they are providing — and what they do not provide.

The CEO asserts he was placing reliance on the PCI compliance audit. But as Mogull says, “The role of your QSA is to assure your compliance with the standard, not secure your organization from attack. Their role isn’t even to assess your security defenses overall, but to make sure you meet the minimum standards of PCI.”

Management is responsible for its systems of internal control and security. It can employ the services of others, whether internal auditing or external assurance providers, but it should understand the extent and limits of the assurance provided. Carr seems to have ‘assumed, and we all know what assume means.

2. Being compliant with a standard does not mean you are secure.

The Heartland breach is an excellent example of how you can be compliant with a standard, even one intended to reflect best practices in preventing a breach, and still suffer one. Management, security, risk, audit, and compliance professionals should look beyond the standard, whether an external one like PCI or an internal standard, and determine whether it is sufficient to manage the related risks to the organization. Complying with (or auditing to) a standard is not the same as managing (or auditing) the risk and its related controls.

3. Following the rules does not necessarily mean you meet the principles behind them.

The bane of those of us in the United States is that our accounting standards are rules-based instead of principles-based. I was at an audit committee meeting where the external auditors were challenged by the directors and management on why they had insisted on a large write-down of tax assets. They defended their position as being required by the rules of Generally Accepted Accounting Principles. I asked whether the resulting financial statements reflected a “true and fair view” of the company’s results and financial position. They had to admit they did not, but the rules made them do it.

Outside the United States, most of the world has principles-based standards. While there are murmurs that there is so much room for judgment that the standards are too loose, I still prefer and advocate principles-based rather than rules-based standards.

Rather than looking at compliance with rules and standards, let’s step back and ask whether the principles behind those rules and standards have been achieved. It’s quite possible, as was asserted for the PCI standards, that the standards are not adequate.

4. Using a list of best security practices, a standard audit program, or a checklist of required controls may mean you are missing the point.

The lesson is clear from Heartland that following what was considered best practices, at a prior point, for other companies, may not be best practice for your organization. Understand the risks to the organization’s strategies and objectives, then implement the controls necessary to manage those risks within organizational tolerances. 

I welcome your comments.

Posted on Sep 2, 2009 by Norman Marks

Share This Article:    

  1. Well, then, . . . is there any one real way to check to be absolutely sure there are not breaches?  Or is it just a matter of constant diligence in monitoring, and spot checks, and constant EXTENSIVE auditing (since their regular audits were not useful)?  I'm still not sure what actual steps can be take to ensure against this, though I do now know that all the standard mechanisms that, heretofore, certified security, are not to be trusted.

  1. Welcome, Ann. Great to see you here.

    You ask a good question - thanks!

    The point is that if we want to protect our home from, let's say, a fire we should inspect the terrain, the weather prospects, the condition of the home and the landscape around it. That will help us understand our vulnerability and where the risks are. Then we can make intelligent decisions about what to do.

    In the Heartland type of situation, the homeowner Googled 'fire protection' and downloaded a checklist of things to do to pass an inspection by the fire department. He did them and felt comfortable he was in compliance.

    Guess what happened to his house?

  1. This is a risk companies would have to accept. .

  1. I'll tell you what I have learned, not only from the Heartland incident, but from my own personal experience (yes I am a victim of internet fraud 9+ years ago).  I am the one that needs to be diligent in my own personal identity security.  I have long ago lost faith in ANY company being able to protect my personal records.  I don't hide my money under the bed (I use a coffee can instead...just kidding), but I frequently monitor all of my financial accounts.  I understand what my personal liability is and I know how to contact all of my financial institutions from my bank on down to the various credit reporting agencies.

    Companies need to balance ease of use and security, but I for one would love to have a company tell me that they were trying to err on the side of security rather than ease of use, even if I had to contort my fingers on the keyboard to type in some 256 bit password full of special characters, capital letters, etc.  At least it would make me feel better... ;-)

     

  1. Very interesting story and I agree with the other comments.  A CEO who relied on a compliance audit to become comfortable  with intrusion risks, probably shouldn't be CEO.  Heartland clearly should have addressed this internally, especially given their industry.

    I have to wonder though, if their PCI auditors did their job as a champion for the profession.  This may be like some of the audited financial statements issued during the 1980's S&L crisis where a small bank would receive an unqualified audit opinion right before they failed.  The CPA could justify their opinion, on the basis of financial statements being fairly stated, but it hurt the credibility of the profession to have a clean opinion for a failing business.  The public perceived the auditors as having a greater role. Perhaps Heartland's auditors could have recommended additional security reviews or a more robust IT audit function.  I believe that all of us need to be champions for our profession and to look for these opportunities.

  1. What is a breach? People downloding data when they shouldn't have. Who is responsible? To me, it starts with the network, DB, OS vendors. Do people believe Microsoft cared about security when they rolled out Vista? A company does not have unlimited resources to deal with security. Hackers will always find a way. Companies who say they are secure don't know what to look for.

  1. All Risk Management, Internal Audit and internal controls activity are trade-offs between the cost of such "overheads" and the cost of actualization of the risk. Too often we find companies where the universe of risks is either incomplete, the risks as understated, or the assessed potential actualization costs are poorly documented or not accepted. The information technology people are the experts, and Internal and External Auditors are at best an additional level of assurance - primary assurance must come from a confidence that the right people in the business are doing the right job. So to add to your 4 points.



    1. Boards and Executive management must have confidence in the work being done by management. Assurance should be provided over the competence of the people doing the work.



    2. Management in the business should also assess what additional or residual threats exist. Leaving it to the auditors to point out additional risks is a sign of inadequate management.



    3. Management must determine where following the rule alone is inadequate, and should not fall back on the argument that they "followed orders". It is managements responsibility to question orders, not to wait for the auditors to question orders.



    4. Checklists (like speed) kill. Management must look beyond the checklists, and must determine if there are residual risks or vulnerabilities. Management must take the case for the additional funding required to limit those risks.



    It is management's responsibility to manage the business, and that includes risks. Internal Audit's responsibility is to provide some confidence the the Board and Executives that management is effectively identifying, responding to and controlling (where possible) risks and vulnerabilities.


     

  1. The term "standard" in most fields connotes least-common-denominator functionality, and it appears that the PCI standards fit the bill. Just adhering to standards will, as you aply put it, make one a standards-following owner of a burnt out shell. The Hearltand story highlights the issue of responsibility as well, particularly if your company's vulnerability exceeds the initial conditions that promulgated the standard. I wouldn't necessarily blame Carr for willful ignorance -- too many CEOs are shocked to find out they were given bad advice about a lot of operational issues -- but his experience is a cautionary tale for all CEOs: take responsibility for key vulnerabilities in your organization, or face the consequences.

  1. What are readers' current feelings about transitioning these types of transactions into the cloud computing environment?

  1. This reads as a case where internal and external stakeholders (board members, executive and operational management, staff, third-parties, etc.) may not fully understand the underlying business model, its associated risks or ask the proper questions.  Risk analyses and the applicable inherent and residual risks may not have been comprehensive, fully understood or captured as part of an inherent business model.

    The use of checklists serves as an initial guide to provide a framework to develop a company specific program and should not be used as the end all. Professional standards indicate we may not be an "expert" when undertaking an assignment, but, we are required to have the requisite knowledge to perform and/or review the work performed by others during an engagement.
     
    Professional skepticism and awareness to risks (known and perceived) as well as understanding and performing “what if” scenarios are basic tenets of business that continuously need to be refined and improved upon by all professionals.
  1. The breach was detected, but by Visa and MasterCard's monitoring programs.  Perhaps this basic COSO Component -- monitoring -- was missing or was not adequate at Heartland.  Yes, we should do all we can to prevent fires, but we also need a way to detect them before the house burns down.

Leave a Reply