In the first real indication of the scope of the recently disclosed data breach at Heartland Payment Systems Inc., banks and credit unions from Washington to Maine have begun to reissue thousands of credit and debit cards over the past few days.
Several have also begun disclosing fraud associated with payment cards that were reported to them by Visa and MasterCard as having been exposed in the breach.
A Pennsylvania law firm today filed the first class-action lawsuit related to the breach. Chimicles & Tikellis LLP in Haverford, Pa., filed the lawsuit on behalf of Alicia Cooper, a resident of Woodbury, Minn., and others who might have been affected by the breach.
The complaint, filed in the U.S. District Court for the District of New Jersey in Trenton, alleges that Cooper, whose card was compromised in the breach, and others, were victims of Heartland's negligence in protecting cardholder data. The lawsuit, which calls for a jury trial, charged Heartland with breach of contract, breach of implied contract and breach of fiduciary contract for the breach.
The compromise has pushed the Washington Credit Union League (WCUL) in Federal Way, Wash., to revive legislation that would mandate specific data protection controls on all merchants and third parties, such as Heartland, that process payment card data. The bill (HB 1149) received its first hearing last Thursday in the Washington State House Committee on Financial Institutions and Insurance, according to a statement released by the WCUL.
Heartland, a Princeton, N.J.-based processor of payment card transactions, disclosed last Tuesday that its systems had been broken into by unknown intruders sometime last year. The company claimed that the intrusion -- which some are calling the biggest ever -- was discovered only earlier this month. Visa and MasterCard alerted Heartland of suspicious transaction activity, triggering Heartland to conduct its own forensic investigation, during which the intrusion was discovered.
The company said that intruders planted sophisticated sniffer software in its network and stolen data as cards were being processed.
Heartland has not yet released any information on the number of cards exposed in the intrusion. But the fact that the company processes more than 100 million transactions per month for over 250,000 customers has sparked speculation that the breach might be even bigger than the one disclosed by The TJX Companies Inc. in which more than 45 million payment cards were compromised.
Since its disclosure, a growing number of financial institutions across the country have begun notifying their customers of their cards being potentially compromised as a result of the breach. In most cases, the compromises result in the cards being blocked and recalled by the financial institutions. A small sample of those making such announcements included the following:
- Sovereign Bank has posted a notice on its Web site alerting account-holders that the bank's cards had been affected by the breach. The bank said it is still determining the number of compromised cards.
- The Platte Valley Bank in Scottsbluff, Neb., issued an alert saying that 433 of its debit and credit card customers had been affected by the breach. The statement stressed that the bank's own systems had not been hacked into, and said that the compromise was the result of the intrusion at Heartland. First State Bank, also in Scottsbluff, said 200 of its customers had been affected. "This could possibly be a bigger breach than TJ Maxx and has affected customers of every bank in the area," the alert noted.
- The Association of Vermont Credit Unions said that as of last Friday, the breach had affected about 6,000 ATM check cards and thousands of credit cards at credit unions across the state. In a statement, the association said it had learned of the breach on Friday, Jan. 9 or more than 10 days before Heartland disclosed it.
- Jenny Reynolds, vice president of marketing at CU Community Credit Union in Springfield, Mo., said that so far the breach has resulted in about 16 compromised cards belonging to the credit union that were used to commit about $11,000 worth of fraudulent transactions. In total, the credit union has blocked 350 Visa cards after the breach disclosure, Reynolds said. The fraud itself occurred last November even before Heartland disclosed the breach, she added. Many of the fraudulent transactions involved purchases at gas stations and small merchandise, she said. "I haven't spoken to one financial institution that hasn't been affected by the breach," she said.
- The WCUL noted that some the state's financial institutions have reported that more than half of their card base as being affected by the breach. Most credit union leaders believe that the effect during the initial days is just the "tip of the iceberg," the association warned.
- Representatives from the Maine Credit Union League, the California Credit Union League and the Massachusetts Bankers Association told Computerworld that their members have been affected by the breach, though they all said it was still too soon to determine the full scope of the compromise.
Meanwhile, CUNA Mutual Group, a firm that insures credit unions, said its risk management analysts had noticed an unusual increase in fraudulent payment card activity as early as October last year and had forwarded the information to MasterCard and Visa.
On Jan. 21, CUNA sent out an alert to more than 5,000 credit unions nationwide on Jan. 21 offering recommendations for credit unions to mitigate losses from the breach. The alert quoted Chuck Cashman, CUNA Mutual product executive, as saying that while the exact number of affected cards was not known, it was expected to be "many millions."