Heartland breach costs at $12.6M - and counting
Biggest portion of expenses has been a MasterCard fine
Computerworld - In an indication of how expensive the breach at Heartland Payment Systems Inc. could turn out to be, the payment processor last week said it has already spent or set aside more than $12.6 million to cover intrusion-related costs.
Of that amount, about $6 million is a fine imposed on the company by MasterCard, which Heartland is disputing.
In addition to the direct costs, the intrusion also hurt Heartland's first quarter revenues and its ability to pursue new customers, CEO Robert Carr said in an earnings release.
"With the first quarter behind us, we believe we are effectively managing the disruption to operations from the processing system intrusion and increasingly freeing additional sales resources to focus on our growth initiatives," Carr said in the statement.
Heartland, based in Princeton, N.J., is one of the largest payment-processing companies in the country with about 250,000 customers. In January, the company announced that intruders had broken into its systems last year and potentially compromised card data belonging to an unknown number of people. The intrusion is first believed to have occurred last May, though it remained undiscovered until January, even though credit card companies had warned Heartland about suspicious activity relating to transactions it had processed. The breach is believed to be one of the largest involving credit cards, with some saying as many as 100 million cards may have been compromised.
The intrusion resulted in several lawsuits against Heartland by consumers as well as by banks and credit unions seeking to recover breach notification and card reissuing costs. It also led to Visa USA's temporarily delisting Heartland from its approved list of service providers that are compliant with a credit card industry security standard known as the Payment Card Industry Data Security Standard (PCI DSS). Heartland recently got back on to the approved list after passing a fresh PCI security audit.
In last week's earnings statement, Carr said Heartland would fight the fine imposed by MasterCard, which claimed that Heartland failed to respond appropriately after it was notified last year that it might have suffered a breach.
"We believe we took immediate and extraordinary actions to address the intrusion" and in working with the credit card companies in investigating the breach, Carr said. "(S)o we will vigorously contest any effort to hold us liable for the MasterCard fine," he said.
The amount that Heartland says it has spent or set aside for the breach so far "seems reasonable based on what they have publicly talked about," said Avivah Litan, an analyst with Stamford, Conn.-based Gartner Inc. But "the case still remains shrouded in too much mystery to know for certain what other potential damages will add up to," she said.
Unlike the January 2007 data compromise involving Massachusetts retailer TJX Companies Inc. "for some reason, the banking and card industry has been much quieter about this case in public," Litan said. I suspect it's because this is a top 10 U.S. processor and damage to Heartland, especially in a soft economy, could boomerang on the banks," she added.
The TJX compromise, which at the time was believed to be the largest involving credit and debit cards, resulted in the company having to pay a staggering $150 million in breach costs. The number, which one Forrester analyst predicted could reach $1 billion in direct and indirect costs, included a $41 million settlement with various banks that had sued the retailer.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts