On Tuesday, one of the busiest news days of the year, Heartland Payment quietly released a statement declaring the company’s card processing system had been hacked. Since the company handles more than 100 million credit card transactions monthly serving more than 250,000 businesses ranging from restaurants to retailers to payroll systems, chances are someone in every state is affected by this major data loss.
Here’s how the hack works: en route to Heartland’s processing centers, data-sniffing software captures credit card information from the card’s magnetic strip. This includes everything needed to duplicate a card: card number, expiration date, and internal bank codes. Breaches in your personal account are difficult to detect, as credit card thieves often test the waters by spending one dollar or less on a card to make sure it’s still active and able to pass a fraudulent charge.
According to the New York Times, data thieves introduced the Heartland malware as early as May, and Heartland didn’t open its eyes until late fall 2008. Then Heartland chose inauguration day to make its announcement.
Robert Baldwin Jr., Heartland’s president and chief financial officer, told media that it is too early to estimate how many people are affected. Baldwin said comparisons to the TJX data breach of 2007, when 45 million credit and debit card numbers were stolen, are premature, and that it’s unfair to call this the greatest breach of financial data ever.
Data security analysts disagree. Data security analyst Avivah Litan told the Times, “If you add it all up, including legal costs, it could be as much as half a billion dollars in losses — or twice as big as TJX.”
So what are Heartland’s next steps? USA Todayquotes Baldwin saying Heartland plans to “notify each victim whose data were stolen to comply with data-loss disclosure laws in more than 30 states.” Much more than 30 states: 44 states have data-loss disclosure laws on the books, and federal legislation is pending. Based on Baldwin’s words, it appears Heartland is willing to do only the bare minimum and comply with state laws instead of taking the extra effort to notify every single customer, regardless of law, about whether their data has been stolen.
The problem worsens. According to USA Today, security firm CardCops have been tracking a 20 percent year-on-year increase of hackers testing batches of payment card numbers to ensure they’re still active. “The numbers could have come from a processor, like Heartland, or some other source that has access to a lot of customer data but is not a retailer,” Dan Clements, CardCops president, told USA Today.
Heartland’s actions stink of denial. It’s embarrassing and nasty when hackers breach major financial institutions and pillage, and it definitely damages a company’s reputation. But if said company isn’t willing to accept responsibility and take action to support its customers, it deserves part of the blame. What’s more, it only further pollutes consumer confidence, which, given the recession, is already in the dumps.