Heartland is a credit card transaction processor that failed to maintain data security. As a result, a malicious program got installed on their servers, compromising about 100 million credit card numbers, expiration dates, and internal routing numbers (all that is required to perpetrate credit card fraud). It took security people several months to actually convince Heartland that their system was compromised.
The breach was disclosed a few days ago. Quietly. On Inauguration Day.
Incredibly, Heartland is simply letting the consumers hang out there. Screw them, they say. Details after the fold.
Heartland is a credit card transaction processor that failed to maintain data security. As a result, a malicious program got installed on their servers, compromising about 100,000 credit card numbers. It took security people several months (from May 2008 until November 2008) to actually convince Heartland that their system was compromised. Heartland then waited until January 20, 2009, Inauguration Day, to disclose the data breach is quietly as possible.
The main stream media are misreporting the story. The main stream media are reporting that Heartland Payment Systems of Princeton, N.J. had "just discovered" that they were compromised. In fact, that is wrong.
Here is an example of the false main stream media story, as provided by CBS News:
Sources tell CBS News that hackers cracked Heartland's computers as far back as May of last year. But it wasn't until last week, after being alerted to suspicious activity by Visa and MasterCard, that the company uncovered malicious software in its system.
In fact, security experts told Heartland that they were in fact compromised last May, but Heartland persisted in complete denial and simply ignored the warnings. It took until now, January 2009, to convince Heartland to give up on their stubborn denial. That is a good eight months of letting the consumers hang out there and get screwed by the criminals. And then, they issued a press release on Inauguration Day, hoping that the day's news would cover up their announcement.
Heartland is a credit card processor for merchants and franchises. If you, as a consumer, ask Heartland for the list of merchands, here is the email that you will get:
Thank you for your inquiry. Due to our contractual obligations to our merchants we can not disclose any merchant information. You may contact your issuing bank to determine if you are impacted. As a cardholder, you will need to check your credit card statements thoroughly to see if there are any transactions that you did not make. If so, immediately contact the bank that issued your credit card. The customer service number is on the statement and also on the back of the credit/debit card. We have provided the impacted card numbers to MasterCard and Visa. They in turn have provided those to the issuing bank. This is the process mandated by the card companies. I apologize for any inconvenience this may cause you.
Now, notice that they mention nothing of their contractual obligation to keep your consumer data secure. They just tell you that you are on your own, and the best of luck to you.
In other words, here is their answer: Yes, we allowed crooks to access your data. But it's your responsibility to make sure there are no fraudulent charges on your credit cards. Just call the customer service number on the back of your credit card. You have nothing else to do in your pathetic, pitiful lives as consumers. We won't even give you the time of day. Now STFU.
PC World has another take on this:
Heartland Has No Heart for Violated Customers
Heartland's actions stink of denial. It's embarrassing and nasty when hackers breach major financial institutions and pillage, and it definitely damages a company's reputation. But if said company isn't willing to accept responsibility and take action to support its customers, it deserves part of the blame. What's more, it only further pollutes consumer confidence, which, given the recession, is already in the dumps.
Here is my take. Heartland's refusal to disclose what merchants clear credit card transactions through them constitutes refusal to take reasonable and minimal actions to assist consumers in mitigating damages. Such refusal to assist consumers in mitigating damages increases Heartland's civil liabity for all damages incurred by consumers, including damage to reputation (by refusing to prevent damaging entries into credit records), distress, inconvenience, time, and legal costs.
Class action, here we come.
But we need legislative action. As reported by datalossdb open security formum this bill never made it ouf the last Congress.
S.1178 Identity Theft Prevention Act
Data Loss DB Overview:
This bill requires notification to the FTC of a data breaches. It also requires the FTC to post these notifications online if the breach affects more than 1,000 individuals. The bill also requires notification to consumers in the event of a breach affecting their personal information if the "breach of security creates a reasonable risk of identity theft". The bill would also require notification "not later than 25 business days after the date on which the breach of security was discovered by the covered entity". In addition to breach notification, the bill also covers security freezes and other relevant topics.
We need to change that!