Strategic Profits Inc

Heartland breach cost $12.6 million, CEO says

Jul 02, 2009

Heartland breach cost $12.6 million, CEO says

Heartland Payment Systems Inc. said it was experiencing losses this quarter as a direct result of a massive data breach it disclosed in January when investigators discovered a malicious program sniffing credit card data passing through its systems.

The company said it took a $2.5 million loss for the quarter as a result of spending more than $12.6 million in legal bills, fines from MasterCard and Visa and administrative costs. The announcement was made during the company's financial earnings call, where Carr said the costs associated with the breach could continue to climb.

"Our defense of the claims regarding the processing system intrusion remains ongoing," he said. "Much of the legal work remains to be done and it is difficult to anticipate when these matters will come to a conclusion." Carr also admitted for the first time that since the Princeton, N.J.-based processing giant announced a breach of its systems, some of the payment processor's clients have switched to competitors as a result of the breach. He said some competing processors resorted to scare tactics.

"We have had many competitors that have been very supportive and professional, and we certainly don't want to tar all of our competitors with the same brush," Carr said. "We have had some competitors telling merchants falsely that they would be fined $10,000 a day if they stay with Heartland. We think we're through the worst of that."
Car said less than $1 million of the breach costs were fines levied by MasterCard and Visa against the company's sponsored banks. The fines are being contested, he said. More than $500,000 relates to a fine assessed by MasterCard against the sponsored banks in which the card company said Heartland failed to take appropriate action upon learning that a breach was suspected. Carr said the fine is in direct violation of both the MasterCard rules and law.
"Heartland believes that it responded appropriately to all the information that it learned regarding the possibility of a system breach and upon discovering the intrusion it took immediate and extraordinary action to address the intrusion," Carr said. "Moreover, Heartland believes that throughout the events of '08 and '09 it has fully cooperated with MasterCard's investigation of first the suspicion and later the fact that an intrusion had occurred."

New encrypted terminal announced In addition, the company said it would implement end-to-end encryption when payment transaction data is sent from the merchant to the processor. The company said it would roll out a payment transaction encryption terminal system with a trial project beginning this summer. Although details were scarce, Carr said the system includes both a hardware and software implementation and would be launched with the help of technology partners.

"We are in a cybercrime arms race and we need to stay ahead of the bad guys who never rest and do not call committee meetings to update their malicious tools and attack vectors," Carr said. Heartland is in discussions with some of the card brands to improve encryption, he said. The card brands currently take file encrypted transactions. Carr said security could be improved if the brands took track and PAN data encrypted transactions.

Heartland also announced that it was working with the Accredited Standards Committee X9 Inc. to develop a standard for protecting sensitive payment card data in transit. The company hosted a preliminary planning workshop on the ASC X9 standards effort today in Texas.

Previous Posts

Apr 20.09 | RBS, Heartland no longer PCI compliant

RBS, Heartland no longer PCI compliant

By Dan Goodin in San Francisco • Posted in Security, 13th March 2009 21:40 GMT

Visa on Friday alerted the world that RBS WorldPay and Heartland Payment Systems are not on its list of payment card processors who are in good standing with industry-mandated standards for data security.

The move follows announcements by both companies that they experienced data breaches that exposed details for a large number of credit cards to criminal hackers. RBS said the security lapse exposed 1.5 million cards. Heartland has yet to say how many cards were affected.
read more

Sep 30.08 | FAQ: Clickjacking -- should you be worried? Nearly all browsers are vulnerable to this new attack class, but details are scarce!

read more

Jul 25.08 | Credit-card fraud probe targets Pearson's self-service kiosks

An investigation of suspected credit-card fraud at Toronto's Pearson airport is now concentrating on the security of its 150 self-service check-in kiosks. read more


Moneris’ new eSELECTplus® payment tool will be used with Wylie’s Web site so organizations can easily accept electronic contributions and purchases online
read more

Jan 18.08 | Silent Banker Trojan..Banking in Silence

Beware the Silent Banker Trojan which sits quietly between your computer and your online banking to steal away payments. It can silently change the user-entered destination bank account details to the attacker's account details instead. read more

Jan 14.08 | November 6, 2007 92 Convio Clients Hit In Security Breach

November 6, 2007 92 Convio Clients Hit In Security Breach
Firm says no financial data was accessed
By Mark Hrywna The NonProfit Times read more


read more

Oct 24.07 | Court filing in TJX breach doubles toll

Court filing in TJX breach doubles toll
94 million accounts were affected, banks say
By Ross Kerber, Globe Staff | October 24, 2007 read more

Sep 10.07 | SPIguard Security Solutions Inc. QSA certification with PCI Standards Council, L.L.C.

Its official! SPIguard Security Solutions Inc. is certified with PCI SSC as a QSA! read more