Archives For Heartland

Albert goes down!

January 6, 2010 — Leave a comment

You won’t want to miss this – thanks Randy for sending this over!  While you’re learning sound bites, having the final chapter on Albert Gonzalez can’t hurt…

” Albert Gonzalez has pleaded guilty to charges of conspiracy for his role in the massive data breach that compromised millions of payment card accounts from the networks of Heartland Payment Systems, 7-Eleven, Hannaford Bros. and other retail and financial organizations.  The terms of the plea agreement call for a sentence of not less than 17 years and not more than 25 years.”  Read more here:


Heartland is working on security – comments from the top may help you as you talk security with the business leaders running the accounts you call on…Some great sound bites sent over by a recent workshop attendee – thanks Tim!

COMMENT: Notice PCI isn’t enough.  It’s interesting that Heartland was considered compliant before the breach, but not after.  No change to the security system, just a failure to protect the data (something not listed in the PCI standards).

“Carr says that one lesson he’s learned from the breach is that the industry’s security standard, called Payment Card Industry or PCI, doesn’t go far enough. It’s the “lowest common denominator,” he says, adding that the audit didn’t detect the vulnerability that led to the hack even though it had existed for years.”

COMMENT: Heartland was not required to disclose this breach…read why!

“The laws typically cover so-called personally-identifiable information, which includes some sort of number in combination with a name. The data the hacker stole from Heartland only included credit-card numbers and bank codes. That was enough for the hacker to steal money from card holders’ accounts, but because there was no way for the bad guy to learn the identities of the card holders, Heartland wasn’t required under state laws to disclose the breach.”

COMMENT: Heartland’s voluntary response goes beyond PCI.  Remember Tylenol and the Solid Come Back?  I was there…working with McNeil at the time.  The proper response makes all the difference.

“Heartland is getting ready to roll out a more secure credit-card processing system for its customers. The new system, which will be available on a trial basis starting in the third quarter, will encrypt credit-card data from the time cards are swiped at a store until the data are delivered to the issuing bank.”

(Quotes from:

© David Stelzl 2009

Wall Street writer Ben Worthen, in an article dated March 10, 09 recounts some of the growing risks of identity theft, validating many of the statistics I’ve given over the past two years.  Here’s a short excerpt:

“The number of reported data breaches of all kinds in the U.S. climbed to 656 last year from 446 in 2007, according to the Identity Theft Resource Center, a nonprofit organization based in San Diego that helps identity-theft victims. These breaches affected some 36 million records — including Social Security numbers, credit-card accounts and other personal data.

Overall, more than 250 million records containing personal information have been lost or stolen since 2005, according to the Privacy Rights Clearinghouse — and that’s driving more consumers to companies that say they can prevent theft.”

656 companies reporting ID theft

Over 250 Million identities expose

36 Million records exposed in 2008

Also noted in the article, Heartland processes over 11 Million Transactions per day, but a total number of exposed numbers has not been published.

Sound bites build credibility with asset owners and overcome technologist’s attempts to make their security sound solid.  Wall Street is a solid source to quote from given that most decision makers read it (or at least pretend to).