Security

A lawsuit filed against Heartland Payment Systems over what is believed to be the biggest data breach in U.S. history has been dismissed.

The lawsuit was filed in January against Heartland by shareholders who alleged that Heartland failed to adequately safeguard the compromised consumer data and did not notify consumers about the breach in a timely manner as required by law.

The U.S. District Court for the District of New Jersey granted Heartland's motion to dismiss the lawsuit on Monday, Heartland said in a statement on Wednesday. The court said the plaintiffs had not proved their allegations that Heartland executives knew the company had inadequate security and misled the public about it, according to a report on StorefrontBacktalk.

Heartland had disclosed the breach January 20, the day of President Obama's inauguration. The breach occurred last year but company officials said they found evidence of the intrusion the week before the announcement and immediately notified law enforcement and credit card companies.

Two Russians and a Florida man were charged on Monday with hacking into Heartland Payment Systems, 7-Eleven, and the Hannaford Brothers supermarket chain, and stealing data related to more than 130 million credit and debit cards.

The indictment names 28-year-old Albert Gonzalez of Miami, who already has been charged with stealing data related to 40 million credit cards from eight major retailers, including TJ Maxx, and two unnamed co-conspirators based in Russia.

The breach involving Heartland and the others is believed to be the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. In addition to Heartland, 7-Eleven, and Hannaford Brothers, it involves two unnamed corporate victims, according to a statement from the U.S. Attorney's office.

The three men were indicted on charges of conspiring to hack into computer networks and stealing data as far back as October 2006. Gonzalez, whose aliases include "segvec" and "soupnazi," and the others allegedly found victims on a list of Fortune 500 companies and visited retail locations to see what type of checkout systems they used.

They used an SQL injection attack to steal the data and used computers in California, Illinois, New Jersey, Latvia, Ukraine, and the Netherlands for storing malware and stolen data and launching attacks, according to the indictment. In an SQL injection attack, a small malicious script is inserted, exploiting a vulnerability in the database layer of an application that feeds information to the Web site.

They also allegedly installed backdoors and sniffers to intercept data in real time as it was processed by the victims and tried to hide their actions by accessing the victim networks through proxy computers, modifying their software so as to evade detection by antivirus programs and programming it to delete traces of the malware from victim networks, according to the indictment.

The men also tried to sell the stolen data to others, the indictment alleges. They are charged with conspiracy to gain unauthorized access to computers, commit fraud in connection with computers and damage computers, as well as conspiracy to commit wire fraud. They face up to 35 years in prison as well as a fine of $1.25 million.

Gonzalez, who is in federal custody, was charged in May 2008 in New York with hacking the computer network of Dave & Buster's restaurant chain and was named in an indictment in Massachusetts in August 2008 related to the TJX breach. Other alleged victims in those cases include BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW. He faces trial on the New York charges next month.

Heartland reported the breach on presidential Inauguration Day in January and said that although it occurred last year, it found evidence of the intrusion just the week prior.

Formerly a federal government informant, Gonzalez also was arrested in New Jersey in 2003 on charges related to ATM and debit card fraud.

Payment processor Heartland Payment Systems has been sued over a data breach it disclosed publicly on Inauguration Day last week.

The lawsuit, filed on Tuesday in U.S. District Court in Trenton, N.J., alleges that Heartland failed to adequately safeguard the compromised consumer data, did not notify consumers about the breach in a timely manner as required by law, and has not offered to compensate consumers for costs they may incur in protecting themselves from identity fraud.

In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion only in the previous week and immediately notified law enforcement and credit card companies.

Heartland was alerted in late October to suspicious activity surrounding processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, said Robert H.B. Baldwin Jr., chief financial officer of Heartland, last week.

The lawsuit seeks damages and relief for the "inexplicable delay, questionable timing, and inaccuracies concerning the disclosures" with regard to the data breach, which is believed to be the largest in U.S. history.

Heartland executives have declined to specify how many consumers or accounts were affected. The company handles 100 million transactions per month for more than 250,000 merchants.

The lawsuit, first reported by SearchSecurity news site, also accuses Heartland of negligence in taking more than two months to determine the existence and scope of the breach and criticizes the company for failing to identify which merchants were affected by the breach.

The suit was filed on behalf of Woodbury, Minn., resident Alicia Cooper, who was notified last week by her credit union that a card associated with her account was included in the breach. It seeks class action status.

A Heartland spokesman said the company could not comment on litigation.

Meanwhile, the U.S. Secret Service has identified a suspect in the breach who resides outside the country, according to a report late last week on the Storefront Backtalk blog.

Secret Service officials did not return a call seeking comment and a U.S. Department of Justice spokeswoman said she could not comment on the investigation. Update 2:35 p.m. PST: A Secret Service spokesman said the agency "is not releasing any information at this time" on the investigation.

Heartland announced on Tuesday that it would deploy an end-to-end encryption system to secure data in databases and as it is transferred around the network. Heartland also said it has formed an internal department dedicated to the project.

Updated 3:25 p.m. PST with comment from Heartland.

Heartland Payment Systems, which processes payroll and credit card payments for more than 250,000 businesses, reported Tuesday that consumer credit card data was exposed in what may be the largest security breach ever.

In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion last week and immediately notified law enforcement and credit card companies.

Robert H.B. Baldwin Jr., president and chief financial officer of Heartland, told CNET News he did not know how many credit and debit card accounts may have had their information exposed. The company handles 100 million transactions per month but does not know exactly how many unique cards or consumers that translates to, he said.

"We could do that analysis but we have not done it," Baldwin said. "The question is what percentage of transactions did the malware capture and what percentage got out to the bad guys?"

He also would not say when the malware arrived in its system. "We have suspicions as to when, but can't nail that down. We're still working on how" the malware got there, he added. "We believe the intrusion is contained."

"We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice," Baldwin said in the statement.

No merchant data, cardholder Social Security numbers, or unencrypted PINs, addresses, or telephone numbers were exposed, the company said.

Heartland was alerted in the late fall to suspicious activity surrounded processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, Baldwin said.

The company said it will implement a system to flag anomalies in real time and that it created a Web site to provide information on the breach to customers, who will not be held responsible for fraudulent charges.

Baldwin dismissed any notion that the announcement of the breach was timed so that it could be buried by the inauguration news. "We've been working to get enough facts together," he said.

Previously, the largest breach was the 45.7 million credit and debit card numbers reported compromised in 2007 by TJX, which owns retailers TJ Maxx and Marshalls. TJX settled a class action lawsuit in that case. Eleven people, from the U.S., Europe and China, were charged in the case.

Reports of data breaches in the United States increased 47 percent in 2008 from the year before, the nonprofit Identity Theft Resource Center reported in a study released two weeks ago. About 14 percent of the breaches were due to hacking, the report said.