Learning From the Heartland Credit Card Breach
Three suspected hackers are now facing federal charges in connection with the largest identity theft case ever to reach America's courts. The men are accused of breaking into the files of Heartland Payment Systems, the world's ninth largest credit processing company, and stealing more than 130 million credit and debit card numbers.
One of the men is a 28-year-old from Miami named Albert Gonzalez. The other two suspects are identified only as being from somewhere in Russia.
Data Hacking History
If Gonzalez's name sounds familiar, there's a reason: He's been tied to other large-scale data theft cases in the past. Gonzalez was charged in the theft of more than 40 million credit card numbers from TJ Maxx, Barnes & Noble, and other companies last summer. He's also accused in the theft of thousands of cards from Dave & Buster's in 2007. According to the Associated Press, Gonzalez is currently in jail awaiting that trial, which is set to begin next month.
Heartland's Hack, In Perspective
Put into perspective, the Heartland case is far above and beyond any data theft in the past; in fact, according to a database maintained by nonprofit advocacy group Privacy Rights Clearinghouse, the number of affected accounts in the hack is equal to nearly half the total number of compromised accounts in all breaches on record since 2005.
To be fair, that total number is likely on the low side: Many breaches have unknown numbers of affected records, Privacy Rights Clearinghouse points out, and some cards may have been breached multiple times. Still, it provides a rough estimate of where this hack stands in the big picture.
"It's definitely a significant percentage of the total number of breaches," says Paul Stephens, director of policy and advocacy for Privacy Rights Clearinghouse.
So what can you do to protect yourself from these kind of data thefts? The best advice Stephens and his team can offer is to think carefully about what kind of cards you own. When it comes to security, debit may not be your safest bet.
The reason: With a credit card, you'll discover unauthorized charges on your statement. You'll be able to dispute them and have them removed immediately, without losing any money, while the company investigates. With a debit card, it's a different story.
"Chances are, you're going to find out about a breach when your bank account balance is zero and you've bounced a whole bunch of checks," Stephens says. "Then, debit card companies have up to two weeks to research what you're claiming to be fraudulent activity, and during that two-week period, they don't have to restore the funds to your account."
Privacy Rights Clearinghouse recommends you request a nondebit ATM card from your bank in order to reduce your risk. In the end, it may be impossible to completely safeguard yourself from potentially falling victim to a breach. What you can do, though, is control what would happen after a breach has taken place.
"The fact of the matter is, if you use a credit card or a debit card, ultimately you're bound to come up against some sort of breach," Stephens says. "The question is, given that fact, what type of card do you want to have when it occurs?"