Courtesy of Brian Krebbs from the Washington Post it appears that the largest ever breach of credit card data may have occurred. It appears that a payment processor company in the United States, Heartland Payment Systems, discovered malware on their network that may have captured the credit and debit card details of over 100 million credit cards. The data captured include names, credit and debit card numbers and expiration dates.
There are no details yet as to how the malware got onto their network or indeed what type malware it is or the type of systems infected. Often when I do security assessment for clients I see strong malware controls on desktops and servers but often the network is one area that is overlooked. Routers, switches and other network components are often never looked at once they have been installed. These devices invariably are not included in any vulnerability or patch management strategies and will probably not have been upgraded, reviewed or tested since they were installed. This leaves a gaping hole in your security infrastructure as once an attacker controls a router or switch they have access to all the data that passes through it.
Another item to consider is what monitoring was in place to detect any suspicious behaviour. Again this is often something I find clients overlook as part of their information security infrastructure. The article does explain that Heartland found the malware as the result of an investigation so to be fair it is possible that their monitoring systems alerted them to some suspicious behaviour. However, until more details are available we can only rely on speculation at the moment.
No doubt questions will be asked as to whether or not Heartland was PCI compliant. To me this is a non-issue. If you have implemented a strong information security infrastructure then PCI compliance, or indeed any compliance, will practically be a side benefit. As always I will repeat the mantra, just because you are compliant does NOT mean you are secure.
I await more details on this breach with interest. As always we should use all of these breaches as an opportunity for ourselves to learn how better to protect our own networks and data.