Re: Update: Heartland breach shows why compliance is not enough

[Dotzero <dotzero () gmail com>]

The fact that Robert Carr claims compliance is not validation that
Heartland actually was compliant. Given the timeframes involved
(duration of the breach) and the fact that the problem was apparently
brought to their attention by the card companies, it is hard to
believe that Heartland actually was compliant.

The fact that Mr. Carr got religion after the breach and now
recognizes that compliance does not equal security is a man bites dog
story.

Just my 2 cents as an outside observer.

On Thu, Jan 7, 2010 at 3:59 AM, security curmudgeon
<jericho () attrition org> wrote:
> ---------- Forwarded message ----------
> From: InfoSec News <alerts () infosecnews org>
>
> http://www.computerworld.com/s/article/9143158/Update_Heartland_breach_shows_why_compliance_is_not_enough?taxonomyId=17
>
> By Jaikumar Vijayan
> Computerworld
> January 6, 2010
>
> Nearly a year after Heartland Payment Systems Inc. disclosed what turned
> out to be the biggest breach involving payment card data, the incident
> remains a potent example of how compliance with industry standards is no
> guarantee of security.
>
> Princeton, N.J.-based Heartland last Jan. 20 disclosed that intruders had
> broken into its systems and stolen data on what was later revealed to be a
> staggering 130 million credit and debit cards. That number easily eclipsed
> the 94 million cards that were compromised in the massive breach disclosed
> by TJX Companies Inc. in 2007.
>
> However, it wasn't just the scope of the Heartland breach that made it
> remarkable, but also the company's insistence that it was certified as
> fully compliant with the requirements of the Payment Card Industry Data
> Security Standard (PCI DSS) when it was compromised.
>
> In public comments after the breach, Heartland CEO Robert Carr
> emphatically claimed the intrusion occurred even though the company had
> implemented every single one of the security controls mandated by the PCI
> standard. In an interview with Computerworld last June, Carr said the
> breach pointed to both the sophistication of the attacks against Heartland
> and the inadequacy of relying on PCI controls alone for data security.
>
> [...]
> _______________________________________________
> Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
> Archived at http://seclists.org/dataloss/
>
> Get business, compliance, IT and security staff on the same page with
> CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
> from Four Critical Perspectives. The eBook begins with considerations
> important to executives and business leaders.
> http://www.credant.com/campaigns/ebook-chpt-one-web.php
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php