Top executives at Heartland Payment Systems spoke truthfully about the state of security at the company, a federal judge said earlier this week before dismissing a class-action lawsuit against the payment processor.
The shareholder lawsuit, filed in March, was dismissed Monday by Judge Anne Thompson of the U.S. District Court for the District of New Jersey.
Heartland was sued by shareholders after its stock dropped nearly 80 percent following the largest data breach in U.S. history. The plaintiffs in the case say that Heartland executives lied when asked about the state of the company’s security in earnings conference calls and by failing to disclose a 2007 SQL injection attack on its payroll system in Securities and Exchange Commission filings.
That December 2007 SQL injection attack was important because it gave criminals a back door into the company’s payment processing system, the plaintiffs alleged. Ultimately hackers stole more than 130 million credit card numbers.
But in her opinion, Judge Thompson said that because Heartland had not confirmed the credit card hack until January 2009, the company’s executives were telling the truth when they told investors that they took security seriously.
“The fact that a company has suffered a security breach does not demonstrate that the company did not ‘place significant emphasis on maintaining a high level of security’,” she wrote in a 14-page opinion, filed Monday.
In a Feb 13, 2008, conference call — several months after the SQL attack — Heartland CEO Robert Carr and Chief Financial Officer Robert Baldwin Jr. told analysts that the company had spent more than a million dollars on computer security during the last quarter of 2007, but that this spending was not in response to any security incident. Thompson found that this answer was truthful, because the Dec. 26 SQL attack happened “far too late in the quarter to have been the cause for the million-plus dollar expenditure.”
“If the analysts had simply asked, ‘Did you suffer a security lapse in the fourth quarter 2007?’ then Defendant’s answers might very well have been misleading,” she wrote.
Heartland had no comment on the ruling, apart from a brief statement acknowledging that it had occurred. Lawyers representing plaintiffs in the case did not reply to messages seeking comment.
In May, 28 year-old Albert Gonzalez was charged with the crime. In court filings, he has indicated that he is willing to plead guilty to computer hacking charges, but has not been sentenced. Earlier this week, a federal case against him in New Jersey was transferred to Massachusetts, where he is also facing charges.