A Pa.-based law firm has filed a class action lawsuit against Heartland Payment Systems, claiming the payment processor issued belated and inaccurate statements when it announced Jan 20 that its systems were compromised by a hacker in 2008.
The lawsuit was filed Tuesday by Chimicles & Tikellis LLP in the U.S. District Court for the District of New Jersey. It was filed on behalf of Alicia Cooper, a resident of Woodbury, Minn. The law firm says Heartland does not appear to be offering any credit-monitoring services or other relief to credit card holders affected by the breach.
"In addition to the questionable timing of this disclosure, there are materially misleading statements and omissions contained in Heartland's public description of the breach and its consequences," according to the complaint filed by the law firm.
The Princeton, N.J.-based payment processor announced on Jan. 20 that its systems were breached last year in what company officials said may be a global fraud operation. The complaint calls the timing of the announcement suspicious since it was on Inauguration Day, when media attention was focused on the events in Washington D.C.
The payment processor also did not say how many credit cards were affected by the breach or which merchants were affected. Heartland handles a lot of small payment transactions from gas stations, restaurants and other small and midsized businesses. It said the release of such information would be unfair to its merchants. It handles about 100 million credit card payments a month and more than 4 billion transactions per year, making it one of the top five processors of payment transactions in the United States.
After being notified of suspicious activity, Heartland hired several forensic auditors to investigate. Those auditors found malware sniffing data crossing the company's network.
Payment processors and merchants still haven't gotten complete control over data in transit, said Aaron Bills, chief operating officer and co-founder of payment processor 3Delta Systems Inc. Most processors are still connected to Visa, MasterCard and other card brands via legacy dedicated lines. It's a method of communicating sensitive data approved as a compensating control for the Payment Card Industry Data Security Standards (PCI DSS), but it's still more vulnerable than other communication methods, Bills said.
"There are some gaps," he said. "Point-to-point dedicated communication circuits are still being used and all of us have been trying to disband the old system and deploy VPNs."
Replacing those dedicated circuits will take more time and money, Bills said.
"All of us in the industry are under tremendous pressure every day because our systems are under constant bombardment," he said.
The lawsuit filed by Chimicles & Tikellis said the Heartland breach suggests that the company "had not implemented (or was not using)" the security controls outlined in PCI DSS. Heartland said it had achieved compliance with the standard.
The company also said it boosted security of its systems after the breach and is installing a program to quickly flag network anomalies. The company said the breach did not affect merchant data or cardholder Social Security numbers, unencrypted personal identification, addresses or phone numbers.