I made several entries in recent weeks regarding the Heartland breach and just wanted to close out, what became a little blog series about protection, encryption, education and how F5 solutions might have have made these non-existent. There are a lot of people affected by the breach, including myself. This is the notice I get when I login to my banking website:
Important Message - For Visa Check Card Users.
Visa® has notified ** Bank that Heartland Payment Systems, an independent merchant card processor, experienced a security breach in their organization. As a result, Visa® has provided ** Bank with a list of card numbers that may have been affected by the compromise. ** Bank is taking every precaution, notifying those individual clients affected, informing them that their Visa® card will be closed, and a replacement card will be mailed within the next few days. Please carefully review your account activity and immediately report any discrepancies. Should you have questions concerning the compromise, please visit the Heartland Payment System site at www.2008breach.com. If you received ** Bank's notification that your card was compromised and you have questions, please call us. (bank name removed for my protection) :-)
Luckily, I never use my debit card as a Visa so, in theory, I should be fine. I’m still diligently reviewing my daily transactions to make sure nothing has gone astray but I do feel a little better about this than I did the Checkfree breach, since that was a backend connection via partners and I have no control over that. But, here’s the catch. Even though I feel somewhat ok, it’s still a daily ‘check’ to calm my wonders. That’s the other part of breaches – aftermath. Not necessarily all the press, new cards, and credit checks – a lot of times it’s the wait and wonder. If your institution is involved in a breach and nothing bad happens to you, you think you might be cool. But sometimes these things take time. It’s not uncommon for a breach to be announced with all the expert articles covering the story. A common theme in these articles is the ever present, ‘we’re not sure just how many records were compromised.’ 10 months later only a byline appears somewhere but the compromised/sensitive information is still being sold or used somewhere in the crime-sphere. Even if you were in the early bunch and got a new card, your troubles might not be over since there might have more information about you leaked than just a 16 digit code. Combine that with info scraped from a social media site and an impostor still has the means to cause personal havoc. When all the press has faded you can’t forget that you might still be at risk. Even now, that Checkfree breach doesn’t get much press & you might have already forgotten about it.
Some good news is that authorities have now arrested three people in Florida in connection to the Heartland breach. The trio were arrested after trying to use stolen numbers tied to the Heartland breach at a local Wal-Mart…but after a 3 month investigation….and these were low level crooks. They were using some of the numbers as early as last November ‘08 even though the breach wasn’t announced until January ‘09. It’s entirely possible to even get hit during an investigation since the authorities almost have to ‘let’ the criminals commit fraud just to gather evidence.
So as the stories dwindle, new cards arrive and the next ‘Breaking News’ breach hits, don’t let your diligence fade as your comfort returns. Oh, and if you like ‘time’ in songs, here’s a great list.