Red Flags Program

Here is an Identity Theft Article from the Phoenix Business Journal, notable for a good quote from Identity Theft 911’s Eduard Goodman:

“Businesses need to treat personal identifiable information like they would money,” Goodman said. “You wouldn’t leave cash lying around.”

Simple, easy to remember, and accurate.  Your employees eyes will glaze over when you start talking about FACTA and the FTC during Red Flags Training, so why not use that analogy before you get to the boring stuff?

What if, as part of your strategy to Prevent and Mitigate Identity Theft, you make a business decision to downplay an incident that occurs at your company?  Heartland Payment Systems announced on Jan 20th that they had been hacked by an apparently “global cyber fraud operation”.  Based on the timing of the announcement (inauguration day) and their press releases, they made a clear decision to do exactly that:

• Heartland’s initial press release, from January 20th, is subtitled in bold, “No Merchant Information or Cardholder Social Security Numbers Compromised”.   There is no reason for a payment processor (as opposed to a creditor) to have SSNs; this is akin to announcing that they were hacked, but the Statue of Liberty is still standing.

• They also list a number of items that definitely weren’t compromised - PINs, addresses, etc.  And conversely, they go to some lengths to avoid saying what data was breached.  If they know what wasn’t compromised, then they know what was compromised, but they don’t disclose it.

• They say that they were notified by Visa and MasterCard of “suspicious activity surrounding processed card transactions” rather than detecting the breach internally at first.  Does “suspicious activity surrounding processed card transactions” mean fraudulent charges were appearing on credit cards that had been through their processing system?

• Also from the Jan 20th press release, they had brought in forensic auditors who discovered malware that compromised data “that crossed Heartland’s network” - as opposed to malware installed on Heartland’s network?

• In their next press release, on Jan 23rd, Heartland finally admits, in a roundabout way, that credit card numbers were breached.  “Heartland does not yet know how many card numbers were obtained.”

• On January 26th, Heartland CEO Robert Carr issued a letter that (finally!) included this:

Potentially exposed through this breach are card numbers, expiration dates and other data from the card’s magnetic stripe. In a small percentage of cases, the cardholder name of your customers who used a credit or debit card in your store during part of 2008 may also have been exposed.

Since Heartland processes $55 billion dollars worth of transactions a year (per their Dec 2007 annual report), this is not a small breach.

Heartland President and CFO Robert Baldwin conducted interviews that were somewhat more informative.  With Brian Klebbs, who blogs on security issues for the Washington Post, Baldwin provided more detail:  “”The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed.”  One thing that jumps out from the Klebbs interview, though:

The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.

“The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address,” Baldwin said. As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants “is not impossible, but much less likely.”

Whoever has the names and numbers can figure out how to do a bulk query on a name and address database, especially if they have the terminal (point of sale) location and can narrow it down by city.  Also, Heartland does not say one way or the other whether the credit card security codes were accessed.

Business Decision to Downplay Impact

Heartland has known about the breach since late October and clearly made an effort to downplay it.  Was this a good decision?  Certainly Carr and Baldwin have a responsibility to their company, their shareholders,  and their customers to not incite a panic.  And they are correct when they point out that credit card customers are not liable for fraudulent charges as long as they report them in a timely manner.

There are two problems, though.

First, Heartland has downplayed the impact to the point where it appears that they’re trying to totally obfuscate it.   Somebody is going to pay for fraudulent charges - the banks, the credit card companies, the merchants - and it would have been helpful for Heartland to say, in their first press release, exactly what data was breached and from what dates.  In fact, there has already been a class-action suit brought against them alleging, among other things, that Heartland “made unreasonably belated and inaccurate statements concerning the breach.”

Second, Heartland’s image and marketing efforts are built around reliability, trust, and transparency.  But their response to this crisis has been neither timely or accurate.  Their company motto, embossed on their logo, is “The highest standards.  The most trusted transactions.”  Heartland’s home page boasts about “peace of mind”.  And in Heartland’s second press release on the 23rd, they continue to assert this while providing absolutely no information that could be considered helpful to consumers, banks, or merchants:  “Our record of candor…is highly valued,” according to Carr.  Not so much, anymore.

Related Articles

BancInfoSecurity’s roundup coverage of the Heartland breach and its aftermath.  Gets a gold star for best and most thorough coverage.

AP News Article on the breach.  It appears AP just copied the press release for the most part, but it’s notable for saying Heartland “asserted that merchant and customer data were not affected,” in one sentence and “the only information breached were card numbers and cardholders’ names” in another.

Information Week Interview with Heartland President Robert Baldwin

Information Week Blogger George Hulme also takes issue with Heartland’s lack of forthrightness.

Anthony Freed wonders if Heartland waited so long because Carr was busy dumping stock.  One of the side effects of a perceived lack of candor.

Evan Schuman of Storefront Backtalk writes about the technical aspects of the breach.

UPDATE 2/17/09

Infoweek follow up.  Three men were arrested in Tallahassee for using some of the credit card data.  From the Tallahassee’s Sheriff’s Office press release:

“…it was determined that Acreus, Frazier and Johns have been using stolen credit card numbers to electronically encode VISA Gift Cards which were then used to make fraudulent purchases at local businesses, including several Tallahassee Wal-Marts. The group would then sell the fraudulently obtained merchandise for cash. The stolen credit card numbers utilized by the group were stolen in an international computer hijacking of records from the Heartland Processing Center in New Jersey. The total actual and declined fraudulent transaction in Leon County is currently in excess of $100,000. This amount is expected to be much higher as this investigation continues.”

It looks like whoever hacked Heartland sold the data to other thieves - I assume, maybe incorrectly, that the people going into WalMart are not the same people who planted the malware.  It will be interesting to see what further arrests happen as this plays out.

The city of Sallisaw rolled out their Red Flags Program and issued a public announcement about it so their customers know what to expect. (While municipalities are not subject to the Red Flags Rule, utilities are).

Before rolling out your program, take a page from Sallisaw’s book and make every effort to set customer expectations in advance.

A Denver area man bought the contents of a storage unit at auction, and discovered file cabinets full of hospital records, drivers licenses, passports, birth certificates, etc. After the police declined to intervene, he turned them over to a local news station.

This case raises an interesting question that is very pertinent to the Red Flags Rule (although the hospital appears to have been operating under HIPAA guidelines). What if your company was contacted by a news outlet claiming that your customer records had been stolen? According to the rule, your written Red Flags Identity Theft Prevention Program should include a section on how your company will “Prevent and Mitigate Identity Theft”.

In English, that means you should determine what your company will do in response to an identity theft -related incident. The incident could be anything from one of your Red Flags being triggered (e.g., someone tries to use a fake ID and your employee spots it) to a laptop being stolen to a notice, as in this case, that identity theft has occurred.

From the article, here’s how the hospital handled it:

After 9NEWS alerted St. Anthony Central about the patient records found in the storage unit, the hospital investigated. Within 48 hours, the hospital says it tracked down the employee who accessed the hospital records.

“This particular associate was confronted with this and the associate immediately confessed to the fact that they indeed had taken this information outside of our organization,” said St. Anthony Central CEO Peter Makowski. “We are very, very regretful that this ever took place.”

The hospital fired her last week. She had been an employee at the hospital for five years and passed a criminal background check and compliance tests, according to St. Anthony Central.

Records show the 150 patients whose stolen documents were found in the storage unit were admitted in the hospital during a six month period between 2007 and 2008.

The hospital is offering patients a free identity-theft protection service. You can read more about that at http://centura.mediaroom.com/index.php?s=43&item=338.

The hospital said it has contacted the Office for Civil Rights with the U.S. Department of Health and Human Services about the breach. The department investigates HIPAA privacy law violations.

The hospital also said it’s increasing the number of patient medical record system audits and educational efforts.

Kudos to the hospital for their response, the gentleman who found the stolen identities, and the reporters who followed up on the story.

The Secret Service says that credit card and other personal information from up to 17,000 customers was stolen from three San Antonio hotels:

“The stolen accounts of hundreds of people already have been used to make fraudulent credit cards, which then were used to make purchases at area retailers, court records show…
[In the suspect's hotel room] officers found a cache of paraphernalia used in the production of credit cards…officers also found in the room Wal-Mart gift cards with logos of Mastercard or Visa that were in various stages of alteration, label makers, laptop computers, dry transfer decals and ink stamps.

You may be surprised to learn that fake physical credit cards are somewhat common; stolen credit card account information is not just used for online purchases. The magnetic strips on the back just hold the account information; in fact an enterprising group of criminals in Las Vegas imprinted stolen credit card data onto the back of discarded or stolen hotel room keys and the “credit cards” were then used for local purchases.

There are two takeaways here, which should be documented in your written Red Flags Identity Theft Prevention Program:
- Make sure you store customer data securely. If you don’t need to retain credit card numbers, don’t. I hate to think about the calls those three hotels are getting right now.
- If you accept credit cards, make sure your employees check IDs and actually look at the card being used.

The FTC says that a mortgage broker stored customer credit reports, copies of drivers licenses, credit cards, credit applications, bank statements, and more in his house’s garage, before disposing 40 boxes of them in a publicly accessible dumpster. The FTC also claims that the broker provided his customers “with a written statement claiming that the companies maintained “physical, electronic, and procedural safeguards that comply with federal standards to store and secure information about you from unauthorized access, alteration and destruction.” The broker has been charged with violating the Fair Credit Reporting Act and the rule regarding Disposal of Consumer Report Information and Records (Disposal Rule). Read more.

Proper storage and disposal of customer non-public information (NPI) should be part of your Red Flags Identity Theft Prevention Program.

The FTC has apparently received feedback from members of the business community regarding their ability to create and implement a written Identity Theft Prevention Program by Nov 1st, and is granting a six month extension for most businesses.