Heartland Data Breach: Lessons for MSPs
With Heartland Payment Systems’ potentially record-breaking data breach now sparking a class-action lawsuit, there are some important lessons for managed service providers and their customers. Here’s what went wrong at Heartland, and some practical guidance for security-minded MSPs.
Heartland’s massive security breach is a particularly telling case for a couple of reasons. The company resides deep in the payment systems infrastructure — rarely touching end-users directly. One step away from the fraud monitoring provided for your bank account or credit card, Heartland was meant to support banks and businesses, helping them “navigate through the complexities of payment transactions, … protecting (them) from the worries, issues and problems that can abound. (For Heartland’s official comment about the data breach, see http://www.2008breach.com/.)
It wasn’t a careless employee or a stolen laptop that caused this breach. Heartland’s setback is all the more ominous because it reportedly was a result of sophisticated hacker-installed “sniffer” software. The software allegedly captured credit card data when it was unencrypted for authentication. If a company like Heartland cannot ward this off, what does this mean for the rest of us?
Things to Think About
For MSPs, as always, this situation offers risk and opportunity. The costs of data breaches are rising both in terms of direct and intangible damages; as well as in terms of scope. Brian Krebs of The Washington Post provides some great insight, defining the financial risks of data loss, while also providing business case fodder on the necessity of data protection.
Security measures are increasingly mandated not only for enterprises but also for SMBs. For instance, the states of Nevada and Massachusetts have mandated that all companies encrypt electronic records containing the personal data of all their citizens. It is still early days, but more states are expected to follow as requirements become more clearly defined.
As a result, small businesses that previously managed their own IT will increasingly embrace specialized managed security service providers. And those SMBs already relying on MSPs will come to expect more.
Recommended Actions for MSPs:
- Frankly assess the security value you provide your customers and look to shore it up. Would partnering with a Security Consulting Services firm provide you the deep security expertise to both assess your clients’ risk up front, and better enable you to implement the best processes and infrastructure? What other technologies can you add to your portfolio that will not only drive revenue but provide additional peace of mind to both you and your customers? How will process management play in your security offerings?
- Look at data security at the block or bit level, from the source and across the entire data life cycle to better understand your customers’ security needs. Your current physical security can be better optimized if matrixed against the lifecycle of your data, giving you a more complete picture of potential gaps in security.
- Stay on top of technology. In your “heaps” of spare time, make it a priority to understand how data protection is evolving. The pace of change in IT continues to accelerate.
Remember, Heartland’s breach (reportedly) involved a millisecond opportunity — when personal data was unencrypted for authentication. A lifecycle management approach at the block or bit level would have identified this as a risk. Heartland has stated they are changing their approach to encryption at rest and in transit as a result.
If a sophisticated company like Heartland has more to learn here, no doubt most other companies do as well.
Lori Salow Marshall is VP of Marketing & Business Development at Datacastle Corporation, a SaaS data security solution provider serving managed service providers worldwide. Guest blog entries such as this one are contributed on a monthly basis as part of MSPmentor.net’s 2009 Platinum sponsorship.