Heartland Payment Systems recently began notifying approximately 2,200 people that their personal information may have been compromised when 11 password-protected computers were stolen from Heartland's office in Santa Ana, California.
Four of the 11 stolen computers held personally identifiable information (PII), including Social Security numbers and bank account information.
The Santa Ana office, formerly Ovation Payroll, was recently acquired by Heartland.
"As part of our ongoing commitment to security, Heartland has already encrypted most computers, and as we integrate acquisitions, Heartland is actively working to encrypt any remaining computers in every office that may have access to, or house, PII or payment data," the company said in a statement.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
All those affected are being provided with one year of access to identity theft protection services from Kroll.
Lastline vice president Brian Laing told eSecurity Planet by email that the PII stolen in the recent breach could still have a significant impact. "When a large number of credit cards are stolen the banks can run through a very established process with little impact to customers," he said. "Once the process is complete there is little future impact if any."
In this case, though, there's no established process to run through. "With this information attackers can potentially access funds in peoples’ bank accounts," Laing said. "It will then be up to the user to show that their identity has been compromised. That can be a very difficult process for a majority of those that are impacted."
"Credit card theft is expensive enough," Liang added. "If the number of breaches with PII continues to increase the financial impact due to clean up, proactive protection, and the like will quickly surpass the costs due to credit card fraud."
Tripwire senior security analyst Ken Westin said by email that the recent breach should serve as a reminder of the importance of physical security. "Although many companies invest heavily in their security programs, particularly after a breach, to help secure their networks from remote hackers, many of the security controls they implement go out the window once a device is stolen," he said.
"Securing data on devices from physical theft requires a different security controls such as full disc encryption, which is more often deployed on laptops that leave the office versus systems that stay on premises," Westin added. "In my experience working with law enforcement on several cases where systems were stolen from offices, systems such as servers and desktops are unfortunately often left unencrypted, with a belief that they are secure as they do not leave the building."