Please note that this website will be undergoing maintenance on 9/5/2010, between 12:00 AM and 3:00 AM EDT. The site may be unavailable during this time.

New Allegations in Heartland Breach

Lawsuit consolidates 16 separate class-action suits
October 13, 2009

New allegations regarding the massive Heartland Payment Systems data breach have emerged in a master complaint recently filed in U.S. Southern District Court in Houston, Computerworld reported. The complaint, filed by several financial institutions against Heartland, charges the payment processor with counts including breach of contract, negligence, and violations of statutes broadly prohibiting unconscionable acts and practices.

Heartland was the biggest data breach involving payment card data on record, involving some 130 million credit and debit card accounts compromised primarily over the course of several months in 2008.

The court documents suggest that before having announced details of the Heartland Breach in January 2009, Heartland CEO Robert Carr told industry analysts that Payment Card Industry Data Security Standard (PCI DSS) was an insufficient protective measure, according to an Oct. 5 article in BankInfoSecurity.com. “Heartland executives were well aware before the Data Breach occurred that the bare minimum PCI-DSS standards were insufficient to protect it from an attack by sophisticated hackers,” according to the 52-page complaint [pdf].

Filed in U.S. Southern District Court in Houston, the complaint is a consolidation of 16 separate class-action lawsuits filed against Heartland by several financial institutions. Another BankInfoSecurity.com report notes that executives allegedly misrepresented their “state of the art” security measures when publicly touting Heartland’s “multiple layers of security,” according to the filing. 

What else is learned?

The complaint notes that while the breach began as early as December 26, 2007, it wasn’t first discovered until late October 2008 when Visa alerted the payment processor of “suspicious activity surrounding certain cardholder accounts.”

In a webinar that was held for high-level employees the day after the breach was announced, staff were told “PCI compliance was not a big deal,” the complaint alleges.

A relationship manager at Heartland resigned on or around April 23, 2009, in part because of Heartland’s statements regarding its PCI compliance. The complaint notes: “A Referee’s Decision in a Delaware Department of Labor proceeding reached the conclusion that this relationship manager had ‘good cause’ to leave her position at Heartland based, in part, on Heartland’s conduct.”

According to BankInfoSecurity.com, 673 financial institutions have to date publicly stated they were affected by the Heartland breach. Heartland has publicly admitted to spending more than $32 million so far on breach-related costs.

Related alerts
 
How Much Can A Breach Cost?

Accused TJX Hacker Pleads Guilty

Heartland Breach Exposes Vulnerabilities in Security Standards


©2003-2010 Identity Theft 911, LLC. All rights reserved.

.
.