Heartland breach costs at $12.6M - and counting
Biggest portion of expenses has been a MasterCard fine
Computerworld - In an indication of how expensive the breach at Heartland Payment Systems Inc. could turn out to be, the payment processor last week said it has already spent or set aside more than $12.6 million to cover intrusion-related costs.
Of that amount, about $6 million is a fine imposed on the company by MasterCard, which Heartland is disputing.
In addition to the direct costs, the intrusion also hurt Heartland's first quarter revenues and its ability to pursue new customers, CEO Robert Carr said in an earnings release.
"With the first quarter behind us, we believe we are effectively managing the disruption to operations from the processing system intrusion and increasingly freeing additional sales resources to focus on our growth initiatives," Carr said in the statement.
Heartland, based in Princeton, N.J., is one of the largest payment-processing companies in the country with about 250,000 customers. In January, the company announced that intruders had broken into its systems last year and potentially compromised card data belonging to an unknown number of people. The intrusion is first believed to have occurred last May, though it remained undiscovered until January, even though credit card companies had warned Heartland about suspicious activity relating to transactions it had processed. The breach is believed to be one of the largest involving credit cards, with some saying as many as 100 million cards may have been compromised.
The intrusion resulted in several lawsuits against Heartland by consumers as well as by banks and credit unions seeking to recover breach notification and card reissuing costs. It also led to Visa USA's temporarily delisting Heartland from its approved list of service providers that are compliant with a credit card industry security standard known as the Payment Card Industry Data Security Standard (PCI DSS). Heartland recently got back on to the approved list after passing a fresh PCI security audit.
In last week's earnings statement, Carr said Heartland would fight the fine imposed by MasterCard, which claimed that Heartland failed to respond appropriately after it was notified last year that it might have suffered a breach.
"We believe we took immediate and extraordinary actions to address the intrusion" and in working with the credit card companies in investigating the breach, Carr said. "(S)o we will vigorously contest any effort to hold us liable for the MasterCard fine," he said.
The amount that Heartland says it has spent or set aside for the breach so far "seems reasonable based on what they have publicly talked about," said Avivah Litan, an analyst with Stamford, Conn.-based Gartner Inc. But "the case still remains shrouded in too much mystery to know for certain what other potential damages will add up to," she said.
Unlike the January 2007 data compromise involving Massachusetts retailer TJX Companies Inc. "for some reason, the banking and card industry has been much quieter about this case in public," Litan said. I suspect it's because this is a top 10 U.S. processor and damage to Heartland, especially in a soft economy, could boomerang on the banks," she added.
The TJX compromise, which at the time was believed to be the largest involving credit and debit cards, resulted in the company having to pay a staggering $150 million in breach costs. The number, which one Forrester analyst predicted could reach $1 billion in direct and indirect costs, included a $41 million settlement with various banks that had sued the retailer.
Read more about Security in Computerworld's Security Topic Center.
- Warning: Cloud Data at Risk Experts agree that relying on SaaS vendors to backup and restore your data is dangerous. Yet that's exactly what huge portions of the...
- The Opportunities and Challenges of the Cloud In this report F5 poses questions to IDC analysts, Sally Hudson and Phil Hochmuth, on behalf of F5's customers to better understand the...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- The Truth About Cloud Security "Security" is the number one issue holding business leaders back from the cloud. But does the reality match the perception?
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!