Heartland’s breach disclosure timing raises eyebrows

The timing of Heartland Payment Systems' announcement that its networks had been broken into last year by unknown intruders has raised a few eyebrows.  Some see yesterday's announcement as an attempt by the Princeton, N.J.-based payment card processor to bury the bad news on a day when the media and the public at large were totally consumed with President Barack Obama's inauguration.

Considering that the breach may well turn out to be the largest ever to be disclosed by any company, one can see where the skepticism is coming from. But Jim Huguelet, an independent security consultant based in Bolingbrook, IL. thinks it's just possible that the timing of the disclosure may have been a somewhat fortuitous break for Heartland.

Huguelet was one of those who initially had been somewhat skeptical about Heartland's timing of the announcement on Inauguration Day. So he went and took a look at the domain registration information for the Web site Heartland is using to convey information on the breach. What he discovered is that the site was only registered on Monday-a day before the disclosure. That doesn't necessarily prove anything, Huguelet admits. But it does seem to suggest that the planning for the notification process started only a day before. "If it had been registered, say, last week," that might have indicated a more deliberate plan to delay the notification until Inauguration Day, he said.

Who knows? As Huguelet says, the timing might simply have been an "interesting coincidence". Heartland has not responded to requests for comment.

Heartland so far has not disclosed when exactly it was broken into or for how long the hackers had access to payment card data as it traversed the company's networks or how many card accounts might have been compromised. But some, like Gartner's Avivah Litan think the total number of card accounts that might have been compromised could eventually exceed 100 million-a number that would dwarf the 45.6 million announced by TJX in Jan 2007.

If you are forced by state laws to disclose a data breach, yesterday would've been a perfect day to do it for sure. But if the numbers we're talking about here are anywhere near accurate, the timing of Heartland's announcement is going to do absolutely nothing to keep a lid on the story.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon