United Kingdom
The Heartland Payment Systems Data Breach – what lessons can retailers learn? - George Quigley
The recent indictments by US authorities as part of the Heartland Payment Systems hacking prosecution have once again drawn the news spotlight to the growing problem of attacks against e-commerce operations. The attack, whose victims included Heartland Payment Systems, 7-Eleven and the Hannaford Brothers supermarket chain, is the largest ever reported with more than 130 million credit and debit card details being stolen.
Sadly, retail businesses are among the prime targets for hackers, as they hold large amounts of confidential customer information. The ostensibly harmless “hobby hacker” paradigm of the early days of the internet has largely been replaced by sophisticated criminal enterprises specialising in identity theft and fraud.
Data security breaches can have a range of serious consequences for retail businesses including long-term reputational damage, legal claims and damage to share price. Additionally, for organisations required to comply with the Payment Card Industry Data Security Standard (PCI DSS), sanctions can include fines and even revocation of card processing capabilities.
From a forensic perspective, the Heartland attack is particularly instructive in that it was founded on a well known, widely used and relatively straightforward technique known as “SQL injection”. By not addressing such well understood attacks, retailers are leaving themselves open to serious security breaches.
IT security is a complex topic requiring a specialised skill set and regular attention and investment. Implementing an appropriate security regime can often be a step too far for IT departments subject to a range of competing pressures and struggling with limited financial resources.
A key tool for helping businesses understand their IT security vulnerabilities is regular IT security testing. By using tools and techniques similar to those employed by hackers, testers can safely demonstrate the access that attackers can achieve to live systems. This provides decision makers with a realistic understanding of how their IT systems can be breached, thereby helping them to make best use of their security resources. Most retail organisations should look to carry out IT security tests on an annual basis. Businesses handling card information may be required to carry out quarterly tests to meet PCI DSS requirements.
BDO’s specialist Technology Risk and Advisory team offer a wide range of IT security services, including IT security tests that can help businesses identify and address their IT security issues. If you would like further information please contact George Quigley on 020 7893 2522 or by email at george.quigley@bdo.co.uk.