Did Heartland CEO Make Insider Trades?

Saturday, January 29, 2011

Anthony M. Freed


Heartland Payment Systems (HPY) and Federal investigators have released more details about the technical nature of the massive financial data breach made public last week, but have refused to pinpoint the exact date that Heartland first became aware there may have been a problem with their network security.

The date they settle on may well be the difference between market serendipity and an SEC investigation for insider trading.

An examination of stock sales made by Heartland CEO Robert O. Carr in the second half of 2008 raises serious questions about who knew what and when in this latest version of the worst-ever information security breach.

The unauthorized access to consumer credit card information has also spawned a class action lawsuit.

Federal investigators and the Secret Service have traced the Heartland data breach to sources outside of North America, with some reports indicating Eastern Europe as being the most likely origin of the offense.

The principles and methods used by the perpetrators have been uncovered amongst evidence that is somewhat contradictory in nature, and now suspected of being nothing more than red haring planted by the hackers to throw investigators off their trail.

Excerpts from Evan Schuman:

The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa (V) and MasterCard (US:MA) according to Heartland CFO Robert Baldwin.

“A significant portion of the sophistication of the attack was in the cloaking,” Baldwin said.

Another consultant-who also wanted his name left out-said the ability to write directly to specific disk sectors is frightening. “Somehow, these guys went directly to the base level of the machine (to an area) that was not part of the file table for the disk,” he said. “Somehow, they got around the operating system. That’s a scary mother in and of itself.”

Other industry brains were less impressed. One nationally recognized and certified information security expert that I corresponded with Wednesday evening regarding the breach indicated that the hackers exploited a system weakness that should have been well known to Heartland, for which protocols issued several years ago.

From my email conversation:

“This was an ‘I told you so’ moment for me. I know exactly which part of the process got hit. It was the un-encrypted Point-to-Point connection which occurs between the Host Security Module (HSM) and the Application Security Module (ASM).

“But that means that they had to have had a hole in their firewall to insert the sniffer into unallocated disk space. “

“Now Heartland is crying poor me, and the making it sound like they are heroes by claiming that they are going to ‘develop’ end to end encryption. They should have been using the ISO Banking Security Standards which were promulgated in 2004/2005. They should be expected to uphold the standard.”

It looks as if the techies have already been able to dissect the mechanics of this cyber-cat-burglar, yet ten days later we still have no clear idea of how long the sensitive data was exposed, or when Carr and other Heartland executives first had an indication that something was not as it should be.

More from Evan Schuman:

Heartland CFO Robert) Baldwin also added more details to the sketchy timeframes that have been revealed thus far about the attacks, specifying that Heartland was contacted by Visa and MasterCard “in very late October,” possibly October 28.

Given that authorities are conducting an investigation, it is understandable that many details will not be released until after an arrest is made.

But, by the nature of the details that have and have not been revealed, one has to wonder who all is actually under investigation here.

In an on-going criminal investigation, mechanistic details are withheld from the public for obvious reasons, and often all the press has to report is a headline and a time-stamp.

Oddly enough it is the those kinds of details about the crime that have been trickling out - including the suspects possible location.

The information usually made available in similar cases is being obscured, like what was stolen when. The answer to the latter of the two questions is of particular issue.

If Heartland personnel, and particularly Bob Carr, had no indication that something was awry with their security until they were alerted by Visa and MasterCard at the end of October, there is no problem.

Under this scenario, according to the chart above, Carr just happened to be in the middle of a major sell off of Heartland stock unlike any he has ever undertaken before when he found out “late in the fall” about the problems.

It could simply be the case that Carr just happened to decide to sell 80,000 share blocks of Heartland stock for roughly $1.6 Million a pop on nine separate occasions, about once every other week, in the four month period leading up to the announcement of the breach.

These uncharacteristically large and more than frequent liquidations just happen to have occurred while the company was in the middle of an expensive acquisition and expansion of services, and all while the credit markets were in total dysfunction.

If on the other hand, company communiqué and records reveal that Heartland knew of possible anomalies in the processing security at the end of August instead of at the end of October, then we have another scenario to suppose.

Under this hypothetical situation, Heartland may have discovered problems prior to end of August and may have known it was something serious simply because no one could figure it out.

According to the official company statements, this was a difficult intrusion to detect, one that was missed more than once.

Again from Evan Schuman:

The initial internal conclusion was that “it looked most likely that it would be in a certain segment of our processing platform,” said Baldwin, adding that Heartland does not want to identify what that segment was. The company hired a forensic investigation team to come in and focus solely on that one area, an effort that ultimately proved fruitless. “We found issues in a large segment of our processing environment. The one that looked like the most promising turned out to be clean,” he said.

That second team “was nearing conclusion” and was about to make the same assessment the first team did: clean bill of health. But one of the last things that external, qualified risk assessor did was to try and match various temp files with their associated application. When some orphans-.tmp files that couldn’t be matched to any application or the OS-were turned over to Heartland’s internal IT group, they also couldn’t explain them, saying that it was “not in a format we use,” Baldwin said. More investigation ultimately concluded that those temp files were the byproduct of malware, and more searching eventually located the files in the unallocated portions of server disk drives.

So, continuing with the hypothetical scenario, Heartland would have had inside personnel looking for the problem when they got a call from Visa and MasterCard with the friendly heads-up.

Heartland could have just decided not to acknowledged the problem until their business partners forced them to.

The end of August is of interest because this is when Carr began to sell of large blocks of stock about every other week, and this was a significantly different trading pattern than Carr had engaged in previously.

If documentation turns up that indicates Heartland knew of serious problems with their network security prior to August 28th, these huge and rapid sell-offs by Carr may look more than suspect to the SEC.

I can not see the strategic value of withholding an accurate time line of what the company and Carr knew, and exactly when they knew it.

If it turns out that everything is kosher here and all is as Heartland has indicated so far - which is very little - then I guess I just don’t understand Carr’s trading strategy over the last half of 2008 and how it related to his goals as a CEO for the growth an performance of his company.

They seem to be at odds, but that is no crime, just ask anyone who shorts their own company from time to time.

It just needs to be cleared up.

Not to worry though, as this is nothing that a solid and well documented time line won’t be able to take care of.

Meanwhile, Heartland’s stock (HPY) bounced back a little Wednesday, but is still trading at nearly half of it’s value prior to the breach announcement.

The data loss debacle at Heartland highlights the fact that the failure to secure information is a growing national security threat, and will be the next major shareholder derivative, director and officer liability, regulatory, consumer product safety, and class-action issue to impact our economy.

Possibly Related Articles:
Information Security
Heartland SEC breach
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.