Heartland breach costs at $12.6M - and counting
Biggest portion of expenses has been a MasterCard fine
Computerworld - In an indication of how expensive the breach at Heartland Payment Systems Inc. could turn out to be, the payment processor last week said it has already spent or set aside more than $12.6 million to cover intrusion-related costs.
Of that amount, about $6 million is a fine imposed on the company by MasterCard, which Heartland is disputing.
In addition to the direct costs, the intrusion also hurt Heartland's first quarter revenues and its ability to pursue new customers, CEO Robert Carr said in an earnings release.
"With the first quarter behind us, we believe we are effectively managing the disruption to operations from the processing system intrusion and increasingly freeing additional sales resources to focus on our growth initiatives," Carr said in the statement.
Heartland, based in Princeton, N.J., is one of the largest payment-processing companies in the country with about 250,000 customers. In January, the company announced that intruders had broken into its systems last year and potentially compromised card data belonging to an unknown number of people. The intrusion is first believed to have occurred last May, though it remained undiscovered until January, even though credit card companies had warned Heartland about suspicious activity relating to transactions it had processed. The breach is believed to be one of the largest involving credit cards, with some saying as many as 100 million cards may have been compromised.
The intrusion resulted in several lawsuits against Heartland by consumers as well as by banks and credit unions seeking to recover breach notification and card reissuing costs. It also led to Visa USA's temporarily delisting Heartland from its approved list of service providers that are compliant with a credit card industry security standard known as the Payment Card Industry Data Security Standard (PCI DSS). Heartland recently got back on to the approved list after passing a fresh PCI security audit.
In last week's earnings statement, Carr said Heartland would fight the fine imposed by MasterCard, which claimed that Heartland failed to respond appropriately after it was notified last year that it might have suffered a breach.
"We believe we took immediate and extraordinary actions to address the intrusion" and in working with the credit card companies in investigating the breach, Carr said. "(S)o we will vigorously contest any effort to hold us liable for the MasterCard fine," he said.
The amount that Heartland says it has spent or set aside for the breach so far "seems reasonable based on what they have publicly talked about," said Avivah Litan, an analyst with Stamford, Conn.-based Gartner Inc. But "the case still remains shrouded in too much mystery to know for certain what other potential damages will add up to," she said.
Unlike the January 2007 data compromise involving Massachusetts retailer TJX Companies Inc. "for some reason, the banking and card industry has been much quieter about this case in public," Litan said. I suspect it's because this is a top 10 U.S. processor and damage to Heartland, especially in a soft economy, could boomerang on the banks," she added.
The TJX compromise, which at the time was believed to be the largest involving credit and debit cards, resulted in the company having to pay a staggering $150 million in breach costs. The number, which one Forrester analyst predicted could reach $1 billion in direct and indirect costs, included a $41 million settlement with various banks that had sued the retailer.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- BlackBeard Case Study In this case study, learn how a business with 95% of revenues generated online was hit by DDoS attacks over a 6-month period,...
- Four Ways DNS Can Accelerate Business Growth This e-book describes how DNS has developed over the years to support business growth as new needs have emerged, for example, advanced traffic...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Network Security White Papers | Webcasts