Make us your home page

He's on front lines in war on data theft

Steven Elefant knows a thing or two about data theft.

He was hired in 2009 to pick up the pieces at Heartland Payment Systems after hackers swiped 130 million credit and debit card numbers from the company's computer database. It was the largest data breach in history.

While Heartland is back on firmer footing, data theft around the globe remains rampant, said Elefant, the chief information officer for the nation's fifth-largest payment processor handling 250,000 stores from mom-and-pops to 7-Eleven. Even the 2010 conviction of 28-year-old Miami hacker Albert Gonzalez in connection with the Heartland breach and earlier thefts at TJMaxx, Sweetbay Supermarket and other Florida retailers did little to improve the situation.

A member of the FBI and U.S. Secret Service electronic crimes task forces, Elefant, 52, recently talked with the St. Petersburg Times about how cyber criminals work, card security and what retailers and card-carrying customers should know.

Records lost to data breaches declined in 2009 from 360 million to 143 million, but that was still the third-highest total ever, while the number of reported breaches rose by a third. Most were through retail, hotel and restaurant systems. With hacker Albert Gonzalez in prison, how serious is the threat?

As serious as ever, if not more so. Gonzalez was not the mastermind. He was working with organized criminal rings in Eastern Europe, Ukraine and Russia. They will sell your stolen credit card numbers today over the Internet for $5 to $20 apiece.

U.S. law enforcement knows exactly who they are but cannot get them extradited. Some of these countries have no cyber crime laws, so they cannot arrest them there. We discovered after we were hacked that competitors and law enforcement had specific knowledge about our case before we did.

Gonzalez was also working as a U.S. government informant. (At least now) U.S. law enforcement, card issuers and other payment processors are talking and sharing information about threats.

How does a hacker convert a stolen card and expiration number to cash?

The bad guys sell the numbers to other bad guys who obtain blank cards and an imprinter — used ones are available on eBay or craigslist — and print their own credit cards or make counterfeit gift cards. They use the cards to buy big-ticket items like a $1,000 TV they sell for $500 to people who don't realize it's stolen merchandise.

This is bank robbery in the 21st century, only they are doing it from an easy-boy recliner on their home PC in the Ukraine. The system should never have made small retailers who don't know a firewall from a fire extinguisher responsible for losses. We're seeing more small breaches. I've seen restaurants put out of business by $500,000 penalties from data breaches.

Hackers sitting in vans in store parking lots tapped into the national wireless card database through transmissions emanating from Sweetbay and TJMaxx stores. How did they get in your secure card databank?

After a great many persistent attacks, they were able to find a way in through our corporate website. We picked up the breach of the card database immediately, but didn't realize for months they had inserted malware that compromised millions of card numbers.

People confuse data theft with identity theft. What's the difference?

With identity theft, the bad guys are trying to duplicate a person's identity. Data theft is mostly stealing card numbers and expiration dates to convert them to cash. People are concerned about identity theft from stolen cards, but you cannot get a passport with a credit card number. You need things like a driver's license or a Social Security number.

Heartland paid $141 million in industry-levied fines and settlement costs for the 2009 hack even though your system, like Sweetbay's, was certified to what the industry calls PCI compliance. What does that say about PCI standards?

That you are compliant until you have an issue. Then you aren't.

PCI is a good way to get people thinking about security. But it's checklist, not security. About 70 percent of the big chains and 20 percent of the small ones today are PCI complaint. We developed a system to regain our PCI compliance in six weeks. We asked former CIA and Mossad experts to break it, and they couldn't. In this day and age, there is no silver bullet, but we're pretty close.

The bad guys are smart and bold. In one Florida supermarket, somebody even installed a phony check stand terminal after the store closed to steal data. So our system automatically wipes out all the security keys if the check stand is tampered with. We're confident enough to guarantee to pay 100 percent of any fines or settlements assessed to a retailer for a breach.

What do retailers, who can be liable for losses from data in their possession, need?

Layers of security. First, end-to-end encryption from the moment a card is scanned in at the check stand to the end user. We call it reverse Rumpelstiltskin: We turn the gold into straw. That makes whatever data the bad guys get unusable.

Next is tokenization. That's assigning random numbers to each transaction … so retailers can retrieve information for refunds or returns. That leaves no real card data in the retailer's possession. Third, you need firewalls and passwords for a more tamper-proof system.

Did your clients bolt after the breach?

We lost very few clients and have been flat since then. So far about 10,000 of our 250,000 merchants have adopted end-to-end encryption. It's the gold standard we think will eventually be adopted by a majority.

To make card checkout faster, some card issuers recently dropped a security step: A clerk no longer looks at the card or signature. Is that wise?

We have to balance speed with security. I think you soon will see the answer in cards with a tiny computer chip embedded to replace the signature card. They're common in the rest of the world.

Has your credit card number been stolen?

Oh, yeah. I was in a meeting at Visa International headquarters in San Francisco when I got a call from my card issuer that someone was trying to use my Visa in Albuquerque, N.M. Of course, consumer losses from a data breach are usually totally covered by a card issuer or limited to $50 on a credit card. But there's a hassle factor to getting a new card, plus I had a lot of automatic payments to notify.

Mark Albright can be reached at or (727) 893-8252.

.fast facts

Curtailing the data breach problem

Computer records compromised by data breaches:

2004 11.5 million

2005 104.3 million

2006 124.2 million

2007 171.1 million

2008 360.8 million

2009 143.6 million

2010 Data Breach Report compiled by Verizon and U.S. Secret Service

Who's getting hit?

Four out of five compromised records were payment card numbers.


of total breaches

Financial 33 percent


Hospitality 23 percent


Retailers 15 percent

Manufacturing 6 percent

Tech services 5 percent

Government 4 percent

Media 4 percent

Health care 3 percent

Other 7 percent

2010 Data Breach Report compiled by Verizon and U.S. Secret Service

He's on front lines in war on data theft 02/05/11 [Last modified: Saturday, February 5, 2011 3:31am]
Photo reprints | Article reprints

© 2017 Tampa Bay Times


Join the discussion: Click to view comments, add yours

  1. Related Group breaks ground on complex at old Tampa Tribune site

    Real Estate

    TAMPA — Miami-based Related Group has broken ground on a 400-unit apartment complex planned on the site of the former Tampa Tribune building in downtown Tampa.

    From left, Related Group executive associate Arturo Penaa, Jorge Perez, center, founder and CEO of the Related Group, Mayor Bob Buckhorn and Steve Patterson, the President of Related Development dig their shovels  during the groundbreaking ceremony of the 400 unit Riverwalk Manor apartment complex on site of the old Tampa Tribune building on Wednesday. [OCTAVIO JONES | Times]
  2. Eat 3-course meals for $35 at these 100 restaurants for Orlando's Magical Dining Month

    Food & Dining

    In the early 1900s, hotels offered "table d'hote" or "prix fixe" menus as a form of loss leader. Hotels didn't necessarily make money on these lower-priced, multi-course meals, often served at communal tables, but they made up for it on the booze. Prohibition may have contributed to a gradual shift toward a la carte …

    Bulla Gastrobar serves a variety of Spanish and Portuguese dishes.
  3. Lightning GM Steve Yzerman sells house for $3 million to new player

    Real Estate

    TAMPA — Tampa Bay Lightning General Manager Steve Yzerman's multi-million Davis Islands home is staying in the Lightning family. Yzerman sold his 6,265-square-foot house Monday to new defenseman Dan Girardi for $3 million.

    The Davis Islands home of Tampa Bay Lightning General Manager Steve Yzerman sold for $3 million Monday to Lightning defenseman Dan Girardi. | [Courtesy of Hi Res Media]
  4. Trigaux: As Florida seeks top 10 status as best business state, red flag rises on workforce


    In the eternal quest to appeal more to business than other states, Florida's managed to haul itself out of some pretty mediocre years. After scoring an impressive 8 among 50 states way back in 2007, Florida suffered horribly during and immediately after the recession. Its rank sank as low as No. 30 only four years ago, …

    Florida's trying to make strides in preparing its high school and college graduates for the rapidly changing skill sets of today's workforce. But the latest CNBC ranking of the best and worst states for business gave Florida poor marks for education, ranking No. 40 (tied with South Carolina for education) among the 50 states. Still, Florida ranked No. 12 overall in the best business states annual ranking. [Alan Berner/Seattle Times]
  5. For the first time in Florida, a white person is set to be executed for killing a black person.

    State Roundup

    GAINESVILLE — For the first time in state history, Florida is expecting to execute a white man Thursday for killing a black person — and it plans to do so with the help of a drug that has never been used before in any U.S. execution.

    This undated photo provided by the Florida Department of Corrections shows Mark Asay. If his final appeals are denied, Asay is to die by lethal injection after 6 p.m. Thursday. Asay was convicted by a jury of two racially motivated, premeditated murders in Jacksonville in 1987.  [Florida Department of Corrections via AP]