Heartland Payment Systems is a payment processing provider for over 275,000 business locations in the United States. The company processes more than 11 million transactions each day and in excess of $80 billion dollars in transactions every year. Due to the nature of its business, when the company announced it was a victim of a cyber security breach on January 21, 2009 the news sent shock waves throughout the financial industry.
Heartland announced that beginning in May 2008 cyber thieves had been able to gain deep access into Heartland’s network systems and records where consumers’ credit and debit card payment information is stored. The company was up to industry security standards, having passed multiple audits, the last one as recent as April 30, 2008, yet the cyber thieves were able to take advantage of weaknesses in Microsoft software and install 13 pieces of malware to infiltrate at least one, but possibly more of Heartland’s servers.
Heartland first became suspicious there may be an issue when Visa reported that some card issuers may have been breached. Heartland CEO, Robert Carr immediately hired two cyber security forensics firms to investigate. The forensics team did not identify the intrusion until January 12, 2009, upon which Carr immediately contacted the banking institutions, law enforcement agencies, including the FBI, Justice Department and the Treasury Departments to conduct an assessment of how Heartland should proceed and investigate. Heartland said they had to wait for the assessment from law enforcement before they could begin making public announcements, hence the January 20th statement.
According to Carr, he held a meeting with his entire staff, more than 3,100 people, and instructed them to contact customers to inform them of the breach and to keep them updated of Heartland’s progress in addressing the incident and the ongoing investigation. Reportedly, Heartland personally met with or called 150,000 of their customer locations. Despite the CEO’s and Heartland’s swift actions, the breach would have tremendous costs to the company. Class action lawsuits were filed on behalf of the affected credit card holders, financial institutions, credit and debit card issuers and stockholders.
As a result of the Heartland breach CEO Robert Carr subsequently instituted and led the way on end-to-end encryption technology, launching their E3 solution on May 24, 2009. Industry analysts praised Heartland for its efforts in bringing the technology to the forefront of the financial services industry where it was believed to be sorely needed to help prevent this type of cyber crime.
At the time, Heartland said it had recorded $12.6MM in costs, litigation and fees that Visa and MasterCard had assessed their sponsor banks. However, more recent estimates are that Heartland has paid out more than $110MM in settlements to resolve lawsuits and claims that are related to the breach. But in reality that figure isn’t accurate either as the company’s stock prices have still not recovered.
Cyber Insurance Coverage Information: In May 2014, Heartland Secure is launched. Backed by a breach warranty, Heartland Secure combines three technologies to provide merchants with security and guard against monetization of stolen card data.
Additional Resources About This Breach: