According to the New York Times , data thieves introduced the Heartland malware as early as May, and Heartland didn't open its eyes until late fall 2008. Then Heartland chose inauguration day to make its announcement.
Robert Baldwin Jr., Heartland's president and chief financial officer, told media that it is too early to estimate how many people are affected. Baldwin said comparisons to the TJX data breach of 2007, when 45 million credit and debit card numbers were stolen, are premature, and that it's unfair to call this the greatest breach of financial data ever.
Data security analysts disagree. Data security analyst Avivah Litan told the Times, "If you add it all up, including legal costs, it could be as much as half a billion dollars in losses -- or twice as big as TJX."
So what are Heartland's next steps? USA Today quotes Baldwin saying Heartland plans to "notify each victim whose data were stolen to comply with data-loss disclosure laws in more than 30 states." Much more than 30 states: 44 states have data-loss disclosure laws on the books, and federal legislation is pending. Based on Baldwin's words, it appears Heartland is willing to do only the bare minimum and comply with state laws instead of taking the extra effort to notify every single customer, regardless of law, about whether their data has been stolen.
The problem worsens. According to USA Today, security firm CardCops have been tracking a 20 percent year-on-year increase of hackers testing batches of payment card numbers to ensure they're still active. "The numbers could have come from a processor, like Heartland, or some other source that has access to a lot of customer data but is not a retailer," Dan Clements, CardCops president, told USA Today.
Heartland's actions stink of denial. It's embarrassing and nasty when hackers breach major financial institutions and pillage, and it definitely damages a company's reputation. But if said company isn't willing to accept responsibility and take action to support its customers, it deserves part of the blame. What's more, it only further pollutes consumer confidence, which, given the recession, is already in the dumps.