Heartland data breach damages still mounting
Visa removes processor from PCI-compliant list
By Seamus McAfee | Published: April 1, 2009
More than two months after the first announcement of the Heartland Payment Systems security breach, the processor has continued to draw fire from merchants and issuers. Damages from what may be the largest PCI data breach in history continue to snowball into public relations disputes, lawsuits and government probes aimed at the company.Card processing giant Visa on March 23 delivered a public slap to Heartland, a leading processor of credit and debit payments, by temporarily removing it from Visa's list of service providers that comply with Payment Card Industry Data Security Standards (PCI DSS). PCI compliant service providers adhere to a strict set of data security standards to protect consumers' card information and fight identity theft and fraud.
Visa has questioned Heartland's security compliance, especially at the time the processor was breached in 2008, saying no merchant that has been PCI compliant has been compromised. Heartland has countered that it was validated for PCI a month before the breach is thought to have begun, and critics have said Visa may be simply trying to dodge questioning of itself and its favored security standard. Visa indicated that it would re-place Heartland on its list of PCI compliant processors as soon as the company meets the standards, which Heartland CEO Robert O. Carr said his company could achieve in weeks.
Visa's move is one in a long string of events since Jan. 20, 2009, when, after being alerted by Visa and MasterCard of suspicious activity surrounding processed card transactions, Heartland announced that malicious software had compromised its data in 2008. The data potentially exposed through this breach includes card numbers, expiration dates and other data from the card's magnetic stripe, and in some cases, the names of customers who used debit or credit cards at Heartland's network of 250,000 businesses.
Heartland has not disclosed the extent of the breach, but industry officials have described it as one of the largest in history. Banks across the country moved quickly and began sending out replacement cards, and advised consumers to watch their account statements more closely than ever.
The residual fallout continues:
- Heartland faces dozens of lawsuits in federal and district courts, including one from an investor who filed a claim in the U.S. District Court of New Jersey, on behalf of all Heartland investors who lost money in Heartland from August 2008 to February 2009.
- United Bank also responded to the breach by re-issuing several of their debit and credit cards to a list of consumers supplied by Visa. MasterCard has not re-issued any of its cards.
- Visa and Heartland released statements assuring their customers that although Visa was suspending Heartland, the processor was still valid in the Visa system. According to both companies, it was in response to rivals' attempts to capture customers with false claims that using Heartland could result in fines or certification problems.
- Heartland announced it has fallen subject to formal inquiries by the Securities and Exchange Commission, the Federal Trade Commission, the U.S. Department of the Treasury's Office of the Comptroller of the Currency, as well as an investigation by the U.S. Department of Justice.
- Heartland's stock value has plunged since the announcement of the breach, hitting a 52-week low of $3.57 on March 12, since hovering close to $20 a share in early January.
- Credit unions have been hit hard by the breach, most notably the Healthfirst Credit Union, which has incurred losses on 800 cards, or 57 percent of their total issued cards, and fraud exceeding $70,000 as a result of Heartland being compromised
- As of Feb. 12, more than 600 U.S. institutions have been impacted by the Heartland data breach, according to a list kept by Bank Info Security.
According to American Banker, many banks and credit unions are pursuing lawsuits to compensate for the cost to notify customers of the breach, re-issuing cards and repairing accounts for those affected by fraudulent activity. Lawsuits against breached companies have seen little success in recent years. In 2007, TJX Companies agreed to pay $40.9 million in settlements to Visa issuers after announcing a breach with the agreement the banks would not sue the retailer, but the case was never granted class-action status. Separate class-action suits filed by consumers against Brazos Higher Education Service Corp and Triwest Healthcare Alliance in 2006 regarding stolen computer hardware for were also dismissed, with the court ruling in both cases that the companies had not broken any security obligations established by the Gramm-Leach-Bliley Act.
Heartland says it has taken steps to improve its security and reassure its merchants since it announced Jan. 20 it had discovered the source of a security breach in its processing system, which actually is thought to have begun in May 2008. Heartland said no merchant data, cardholder Social Security numbers, PIN numbers, addresses, or phone numbers were involved in the breach, but an investigation conducted later discovered that hackers had compromised some data, including card account numbers, expiration dates, magnetic stripe information, and even some cardholder names.
Heartland announced not long after Jan. 23 it had added more than 200 merchants since the discovery of the breach, more than the same period in 2008, and in Jan. 27, said it had created a department to develop end-to-end encryption, a data protection tool that could be more secure and sophisticated than PCI. A website set up by the company has been criticized for whitewashing the damage reports and offering little information, including any of the names of companies affected. Heartland has also not offered free credit monitoring or ID theft protection for victims, saying that information could lead to more identities being stolen that originally were not put at risk by the breach.
Police catch smallfry
On Feb. 10, Florida police arrested three men allegedly involved in the data breach. According to the Leon County Sheriff's Office, the men used the Heartland stolen information to encode gift cards, which were in turn used to purchase merchandise that was sold for cash. The press release said the men ran up over $100,000 in charges, with more to be expected as the investigation continues.
The men are believed to be end users of the stolen goods, not the masterminds. "This incident may be the result of a widespread global cyberfraud operation," says Heartland in its breach FAQ page, "and the company is cooperating closely with the United States Secret Service and Department of Justice."
No official numbers have been released for the amount of data that has been compromised or consumers who have been affected, but Heartland processes payments for approximately 250,000 merchants, including more than 3,500 online merchants, and handles over 100 million transactions, meaning more than 45 million cases of identity theft could have resulted, according to ComputerWeekly.com.
See related: Heartland data breach damages still mounting, First arrests made in Heartland data breach case, Heartland data breach shocks continue, Heartland Payments Systems data breach claims a victim: me, Payment processor involved in massive data breach offers few answers, 6 ways to protect your identity in a data breach
- TransUnion to pay $60 million to consumers flagged as criminals – A jury sided with a consumer who claimed TransUnion violated federal law over OFAC alerts ...
- House passes CHOICE Act that would gut consumer protections – The House of Representatives passed a GOP-backed deregulation bill that would undo Dodd-Frank consumer protections, but it faces uncertain future in the Senate ...
- Store cards urged to reconsider 'deferred interest' credit card offers – The Consumer Financial Protection Bureau sent a letter to retail card companies urging them to reform their 0-percent "deferred interest" promotions to make them simpler, less risky for consumers ...