Ripping out your still-beating Heartland…

Posted by in Analysis on Jan 21, 2009

So, you’ve heard about the Heartland Payment Systems breach? I have to confess that as a connoisseur of human folly, my first reaction was “wow, sweet!”. Of course, then I started speculating that maybe this had something to do with the 5k in fraudulent charges that some yahoo managed to accrue on my Chase card the other day. Oh well, stuff happens, right?

But then I saw the response from the the company… Did you see it? If you’re feeling like you could use a good fire-up, check it out. It starts off ok… maybe even note-worthily admirable:

The transactional data crossing our platform, in terms of magnitude… is about 100 million transactions a month,” Baldwin said. “At this point, though, we don’t know the magnitude of what was grabbed

That makes sense, and seems reasonable and honest. But then, just when they were starting to impress me with their non-foolishness, they say this:

The company stressed that no merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were jeopardized as a result of the breach…

Wait a sec… For rulz? So, to paraphrase: it’s the largest theft of credit card data of all time, but it’s really not so bad because they didn’t lose my social too? Are you kidding me? Financial data is leaking from the environment like a broken pipe, but really that’s OK, because my phone number is all good? Oh no, no.

But then comes the part that’s outright disingenuous:

“The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address… As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants “is not impossible, but much less likely.”

I call shenanigans. While it is, in fact, true on the surface, it manages to completely dodge the real issue. Which is, who gives a rat’s backside for card-not-present transactions? Yes, for CNP, the address would be nice to have. But since the “bad guys” have the track data, they’d have to be smoking crack to go down the CNP route. Why? Because they’re better off printing farking cards using YOUR track data. Because the address isn’t on the track data in the first place – so they don’t need it.

Are they telling people that? No. Should they be? Well, maybe – maybe not. But don’t tell people everything’s all good when it’s really almost as bad as it could get. Don’t put the icing on it – it just causes trouble.

Search
TwitterRssFacebook