Heartland breach costs at $12.6M - and counting
Biggest portion of expenses has been a MasterCard fine
Computerworld - In an indication of how expensive the breach at Heartland Payment Systems Inc. could turn out to be, the payment processor last week said it has already spent or set aside more than $12.6 million to cover intrusion-related costs.
Of that amount, about $6 million is a fine imposed on the company by MasterCard, which Heartland is disputing.
In addition to the direct costs, the intrusion also hurt Heartland's first quarter revenues and its ability to pursue new customers, CEO Robert Carr said in an earnings release.
"With the first quarter behind us, we believe we are effectively managing the disruption to operations from the processing system intrusion and increasingly freeing additional sales resources to focus on our growth initiatives," Carr said in the statement.
Heartland, based in Princeton, N.J., is one of the largest payment-processing companies in the country with about 250,000 customers. In January, the company announced that intruders had broken into its systems last year and potentially compromised card data belonging to an unknown number of people. The intrusion is first believed to have occurred last May, though it remained undiscovered until January, even though credit card companies had warned Heartland about suspicious activity relating to transactions it had processed. The breach is believed to be one of the largest involving credit cards, with some saying as many as 100 million cards may have been compromised.
The intrusion resulted in several lawsuits against Heartland by consumers as well as by banks and credit unions seeking to recover breach notification and card reissuing costs. It also led to Visa USA's temporarily delisting Heartland from its approved list of service providers that are compliant with a credit card industry security standard known as the Payment Card Industry Data Security Standard (PCI DSS). Heartland recently got back on to the approved list after passing a fresh PCI security audit.
In last week's earnings statement, Carr said Heartland would fight the fine imposed by MasterCard, which claimed that Heartland failed to respond appropriately after it was notified last year that it might have suffered a breach.
"We believe we took immediate and extraordinary actions to address the intrusion" and in working with the credit card companies in investigating the breach, Carr said. "(S)o we will vigorously contest any effort to hold us liable for the MasterCard fine," he said.
The amount that Heartland says it has spent or set aside for the breach so far "seems reasonable based on what they have publicly talked about," said Avivah Litan, an analyst with Stamford, Conn.-based Gartner Inc. But "the case still remains shrouded in too much mystery to know for certain what other potential damages will add up to," she said.
Unlike the January 2007 data compromise involving Massachusetts retailer TJX Companies Inc. "for some reason, the banking and card industry has been much quieter about this case in public," Litan said. I suspect it's because this is a top 10 U.S. processor and damage to Heartland, especially in a soft economy, could boomerang on the banks," she added.
The TJX compromise, which at the time was believed to be the largest involving credit and debit cards, resulted in the company having to pay a staggering $150 million in breach costs. The number, which one Forrester analyst predicted could reach $1 billion in direct and indirect costs, included a $41 million settlement with various banks that had sued the retailer.
Read more about Security in Computerworld's Security Topic Center.
- SIP Migration: Addressing CIOs' Concerns Recent data from IDG Research shows that many IT executives are counting on SIP to help them meet employee efficiency and customer experience...
- City Solved Network Mystery - Saves $30K The City of Jacksonville put their hunch to work and not only solved a mystery, but found a new and innovative use for...
- Using Video to Gain a Competitive Advantage: A Business Strategy for Mid-Market Companies The insights provided in this white paper are based on industry analysts and 30+ years of experience from the Video Collaboration Group at...
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Live Webcast How to serve up a Grand Slam with a scalable IT Infrastructure for cloud, big data and advanced analytics Register today to attend this webcast, and see examples of how The U.S. Tennis Association, Wimbledon and U.S. Golf Association are using the...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Live Webcast IBM FlashSystem V840: Leveraging Software-Defined Flash to Drive Your Business With end-to-end, tightly integrated functionality and super-fast flash technology, products like IBM FlashSystem V840 Enterprise Performance Solution empower businesses to leverage the efficiency...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Network Security White Papers | Webcasts