Heartland sued over data breach

Payment processor Heartland Payment Systems has been sued over a data breach it disclosed publicly on Inauguration Day last week.

The lawsuit, filed on Tuesday in U.S. District Court in Trenton, N.J., alleges that Heartland failed to adequately safeguard the compromised consumer data, did not notify consumers about the breach in a timely manner as required by law, and has not offered to compensate consumers for costs they may incur in protecting themselves from identity fraud.

In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion only in the previous week and immediately notified law enforcement and credit card companies.

Heartland was alerted in late October to suspicious activity surrounding processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, said Robert H.B. Baldwin Jr., chief financial officer of Heartland, last week.

The lawsuit seeks damages and relief for the "inexplicable delay, questionable timing, and inaccuracies concerning the disclosures" with regard to the data breach, which is believed to be the largest in U.S. history.

Heartland executives have declined to specify how many consumers or accounts were affected. The company handles 100 million transactions per month for more than 250,000 merchants.

The lawsuit, first reported by SearchSecurity news site, also accuses Heartland of negligence in taking more than two months to determine the existence and scope of the breach and criticizes the company for failing to identify which merchants were affected by the breach.

The suit was filed on behalf of Woodbury, Minn., resident Alicia Cooper, who was notified last week by her credit union that a card associated with her account was included in the breach. It seeks class action status.

A Heartland spokesman said the company could not comment on litigation.

Meanwhile, the U.S. Secret Service has identified a suspect in the breach who resides outside the country, according to a report late last week on the Storefront Backtalk blog.

Secret Service officials did not return a call seeking comment and a U.S. Department of Justice spokeswoman said she could not comment on the investigation. Update 2:35 p.m. PST: A Secret Service spokesman said the agency "is not releasing any information at this time" on the investigation.

Heartland announced on Tuesday that it would deploy an end-to-end encryption system to secure data in databases and as it is transferred around the network. Heartland also said it has formed an internal department dedicated to the project.

[ripjones]

Her husband must be an ambulance chasing lawyer. Two months might be a little long to investigate, but they did hire security specialists. Everybody wants to sue, and maybe get rich. Frivolous lawsuits are why many things cost more than they should. Ms. Cooper should be ashamed of herself.

[ITcomposer]

Just remember, the dunkin donuts lawsuit because the idiot got burned with hot coffee, yea we're a country full of frivolous lawsuits coming out of people like ms.cooper, shame on you lady!

[Demolition]

Just FYI.... it was McDonald's, not Dunkin Donuts. Lots of facts about that case weren't well-known, leading the publi cto think the case was frivolous. See the following for more info: http://www.lectlaw.com/files/cur78.htm

As for the Heartland lawsuit, the case seems to be focused on Heartland's lack of proper security protocols and refusal to offer credit monitoring/relief, than it does about the length of time it took for the breach to be detected or about the timing of its disclosure. In other articles and on TV news stories, it seems that Heartland still isn't taking full responsibility for the breach saying that the info may have leaked either at the stores where the credit cards were used or by the carelessness of the credit card users themselves. So, if this case can shed some light on how the info was leaked out and on ways to prevent it from happening again, then more power to Ms. Cooper and her attorneys.

[Rafal_Los]

Frivalous? Heck no. I agree with Demolition here... a massive data breach is a little different than some twit spilling hot coffee in her lap. This has the potential to cause very serious monetary damage. I can tell you first hand as I had my account wiped OUT the week before I closed on my new home... try explaining *that* to your mortgage lender.

[Spimby]

I hope they get sued into the stone age. These payment processors and retailers have been so cavalier about people's personal information that the only way to make them take notice is to bring financial penalties into the picture. A few well known companies paying out several hundred million $$'s will go a long way towards making sure it doesn't happen again.

[RompStar_420]

Ya merchant processing centers are corrupt. I don't agree that a single person should get a lot of money, but they doing a sloppy job.

White collar crime pays BIG these days, CEOs need to rot in prison right next to crack dealers, not a 2-3 year slap on a hands.

Public hanging needs to start, so people know what will happen to you. That guy who did that 50 billion dollar ponzu scheme, Madof, needs to be executed against the wall.

[johnfranks1234]

Price Waterhouse Cooper and Carnegie-Mellon?s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture ? absent new eCulture, breaches will, and continue to, increase. For example: Microsoft patched for the worm affecting Heartland 4 months ago. As CIO, I?m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities ? read the book BEFORE you suffer a bad outcome ? or propagate one.

[mrbill512]

From the perspective of the cardholder, they have no cause to sue if their bank has their credit cards insured (which they all do). Ms. Cooper just had to call in and say "I didn't make these charges, please refund them" and she gets her money back. No damage done, except for maybe a little inconvenience when having to make the phone call.

All of the banks, however, are the ones that should be suing, as the costs to handle these security breaches (reissuing cards, sending letters, increased staff, higher insurance premiums, etc.) fall directly on to them.

Frivolous as a consumer, yes. This one has "ambulance chaser" written all over it. As a bank who has customers victimized by this data breach? Definitely not.