Make us your home page

He's on front lines in war on data theft

Steven Elefant knows a thing or two about data theft.

He was hired in 2009 to pick up the pieces at Heartland Payment Systems after hackers swiped 130 million credit and debit card numbers from the company's computer database. It was the largest data breach in history.

While Heartland is back on firmer footing, data theft around the globe remains rampant, said Elefant, the chief information officer for the nation's fifth-largest payment processor handling 250,000 stores from mom-and-pops to 7-Eleven. Even the 2010 conviction of 28-year-old Miami hacker Albert Gonzalez in connection with the Heartland breach and earlier thefts at TJMaxx, Sweetbay Supermarket and other Florida retailers did little to improve the situation.

A member of the FBI and U.S. Secret Service electronic crimes task forces, Elefant, 52, recently talked with the St. Petersburg Times about how cyber criminals work, card security and what retailers and card-carrying customers should know.

Records lost to data breaches declined in 2009 from 360 million to 143 million, but that was still the third-highest total ever, while the number of reported breaches rose by a third. Most were through retail, hotel and restaurant systems. With hacker Albert Gonzalez in prison, how serious is the threat?

As serious as ever, if not more so. Gonzalez was not the mastermind. He was working with organized criminal rings in Eastern Europe, Ukraine and Russia. They will sell your stolen credit card numbers today over the Internet for $5 to $20 apiece.

U.S. law enforcement knows exactly who they are but cannot get them extradited. Some of these countries have no cyber crime laws, so they cannot arrest them there. We discovered after we were hacked that competitors and law enforcement had specific knowledge about our case before we did.

Gonzalez was also working as a U.S. government informant. (At least now) U.S. law enforcement, card issuers and other payment processors are talking and sharing information about threats.

How does a hacker convert a stolen card and expiration number to cash?

The bad guys sell the numbers to other bad guys who obtain blank cards and an imprinter — used ones are available on eBay or craigslist — and print their own credit cards or make counterfeit gift cards. They use the cards to buy big-ticket items like a $1,000 TV they sell for $500 to people who don't realize it's stolen merchandise.

This is bank robbery in the 21st century, only they are doing it from an easy-boy recliner on their home PC in the Ukraine. The system should never have made small retailers who don't know a firewall from a fire extinguisher responsible for losses. We're seeing more small breaches. I've seen restaurants put out of business by $500,000 penalties from data breaches.

Hackers sitting in vans in store parking lots tapped into the national wireless card database through transmissions emanating from Sweetbay and TJMaxx stores. How did they get in your secure card databank?

After a great many persistent attacks, they were able to find a way in through our corporate website. We picked up the breach of the card database immediately, but didn't realize for months they had inserted malware that compromised millions of card numbers.

People confuse data theft with identity theft. What's the difference?

With identity theft, the bad guys are trying to duplicate a person's identity. Data theft is mostly stealing card numbers and expiration dates to convert them to cash. People are concerned about identity theft from stolen cards, but you cannot get a passport with a credit card number. You need things like a driver's license or a Social Security number.

Heartland paid $141 million in industry-levied fines and settlement costs for the 2009 hack even though your system, like Sweetbay's, was certified to what the industry calls PCI compliance. What does that say about PCI standards?

That you are compliant until you have an issue. Then you aren't.

PCI is a good way to get people thinking about security. But it's checklist, not security. About 70 percent of the big chains and 20 percent of the small ones today are PCI complaint. We developed a system to regain our PCI compliance in six weeks. We asked former CIA and Mossad experts to break it, and they couldn't. In this day and age, there is no silver bullet, but we're pretty close.

The bad guys are smart and bold. In one Florida supermarket, somebody even installed a phony check stand terminal after the store closed to steal data. So our system automatically wipes out all the security keys if the check stand is tampered with. We're confident enough to guarantee to pay 100 percent of any fines or settlements assessed to a retailer for a breach.

What do retailers, who can be liable for losses from data in their possession, need?

Layers of security. First, end-to-end encryption from the moment a card is scanned in at the check stand to the end user. We call it reverse Rumpelstiltskin: We turn the gold into straw. That makes whatever data the bad guys get unusable.

Next is tokenization. That's assigning random numbers to each transaction … so retailers can retrieve information for refunds or returns. That leaves no real card data in the retailer's possession. Third, you need firewalls and passwords for a more tamper-proof system.

Did your clients bolt after the breach?

We lost very few clients and have been flat since then. So far about 10,000 of our 250,000 merchants have adopted end-to-end encryption. It's the gold standard we think will eventually be adopted by a majority.

To make card checkout faster, some card issuers recently dropped a security step: A clerk no longer looks at the card or signature. Is that wise?

We have to balance speed with security. I think you soon will see the answer in cards with a tiny computer chip embedded to replace the signature card. They're common in the rest of the world.

Has your credit card number been stolen?

Oh, yeah. I was in a meeting at Visa International headquarters in San Francisco when I got a call from my card issuer that someone was trying to use my Visa in Albuquerque, N.M. Of course, consumer losses from a data breach are usually totally covered by a card issuer or limited to $50 on a credit card. But there's a hassle factor to getting a new card, plus I had a lot of automatic payments to notify.

Mark Albright can be reached at [email protected] or (727) 893-8252.

.fast facts

Curtailing the data breach problem

Computer records compromised by data breaches:

2004 11.5 million

2005 104.3 million

2006 124.2 million

2007 171.1 million

2008 360.8 million

2009 143.6 million

2010 Data Breach Report compiled by Verizon and U.S. Secret Service

Who's getting hit?

Four out of five compromised records were payment card numbers.


of total breaches

Financial 33 percent


Hospitality 23 percent


Retailers 15 percent

Manufacturing 6 percent

Tech services 5 percent

Government 4 percent

Media 4 percent

Health care 3 percent

Other 7 percent

2010 Data Breach Report compiled by Verizon and U.S. Secret Service

He's on front lines in war on data theft 02/05/11 [Last modified: Saturday, February 5, 2011 3:31am]
Photo reprints | Article reprints

© 2017 Tampa Bay Times


Join the discussion: Click to view comments, add yours

  1. Carrollwood fitness center employs scientific protocol to help clients


    In 2005, Al Roach and Virginia Phillips, husband and wife, opened 20 Minutes to Fitness in Lakewood Ranch, and last month they opened the doors to their new location in Carrollwood.

    Preston Fisher, a personal fitness coach at 20 Minutes To Fitness, stands with an iPad while general manager/owner Angela Begin conducts an equipment demonstration. The iPad is used to track each client's information and progress. I also included one shot of just the equipment. The center recently opened in Carrollwood. Photo by Danielle Hauser.
  2. Olive Tree branches out to Wesley Chapel


    WESLEY CHAPEL — When it came time to open a second location of The Olive Tree, owners John and Donna Woelfel, decided that Wesley Chapel was the perfect place.

    The Olive Tree expands its offerings of "ultra premium?€ extra virgin olive oils (EVOO) to a second location in Wesley Chapel. Photo by Danielle Hauser.
  3. Massachusetts firm buys Tampa's Element apartment tower

    Real Estate

    TAMPA — Downtown Tampa's Element apartment tower sold this week to a Massachusetts-based real estate investment company that plans to upgrade the skyscraper's amenities and operate it long-term as a rental community.

    The Element apartment high-rise at 808 N Franklin St. in downtown Tampa has been sold to a Northland Investment Corp., a Massachusetts-based real estate investment company. JIM DAMASKE  |  Times
  4. New York town approves Legoland proposal


    GOSHEN, N.Y. — New York is one step closer to a Lego dreamland. Goshen, a small town about fifty miles northwest of the Big Apple, has approved the site plan for a $500 million Legoland amusement park.

    A small New York town, Goshen approved the site plan for a $500 million Legoland amusement park. Legoland Florida is in Winter Haven. [Times file  photo]
  5. Jordan Park to get $20 million makeover and new senior housing

    Real Estate


    Times Staff Writer

    ST. PETERSBURG —The St. Petersburg Housing Authority, which bought back the troubled Jordan Park public housing complex this year, plans to spend about $20 million to improve the 237-unit property and construct a new three-story building for …

    Jordan Park, the historic public housing complex, is back in the hands of the St. Petersburg Housing Authority. The agency is working to improve the 237-unit complex. But the latest plan to build a new three-story building for seniors will mean 31 families have to find new homes. [LARA CERRI   |   Tampa Bay Times]