First lawsuit filed in Heartland data security breach

By Robert Westervelt, News Editor 28 Jan 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A Pa.-based law firm has filed a class action lawsuit against Heartland Payment Systems, claiming the payment processor issued belated and inaccurate statements when it announced Jan 20 that its systems were compromised by a hacker in 2008.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The lawsuit was filed Tuesday by Chimicles & Tikellis LLP in the U.S. District Court for the District of New Jersey. It was filed on behalf of Alicia Cooper, a resident of Woodbury, Minn. The law firm says Heartland does not appear to be offering any credit-monitoring services or other relief to credit card holders affected by the breach.

"In addition to the questionable timing of this disclosure, there are materially misleading statements and omissions contained in Heartland's public description of the breach and its consequences," according to the complaint filed by the law firm.

The Princeton, N.J.-based payment processor announced on Jan. 20 that its systems were breached last year in what company officials said may be a global fraud operation. The complaint calls the timing of the announcement suspicious since it was on Inauguration Day, when media attention was focused on the events in Washington D.C.

The Heartland breach: Payments processor discloses massive data breach: Company says an intrusion of its processing system may be part of a broader fraud operation. After a data breach, what are the legal implications of sharing the details? After a data breach, it may be helpful to share the highs and lows of the experience with other companies to help prevent similiar breaches, but there are legal implications.

The payment processor also did not say how many credit cards were affected by the breach or which merchants were affected. Heartland handles a lot of small payment transactions from gas stations, restaurants and other small and midsized businesses. It said the release of such information would be unfair to its merchants. It handles about 100 million credit card payments a month and more than 4 billion transactions per year, making it one of the top five processors of payment transactions in the United States.

After being notified of suspicious activity, Heartland hired several forensic auditors to investigate. Those auditors found malware sniffing data crossing the company's network.

Payment processors and merchants still haven't gotten complete control over data in transit, said Aaron Bills, chief operating officer and co-founder of payment processor 3Delta Systems Inc. Most processors are still connected to Visa, MasterCard and other card brands via legacy dedicated lines. It's a method of communicating sensitive data approved as a compensating control for the Payment Card Industry Data Security Standards (PCI DSS), but it's still more vulnerable than other communication methods, Bills said.

"There are some gaps," he said. "Point-to-point dedicated communication circuits are still being used and all of us have been trying to disband the old system and deploy VPNs."

Replacing those dedicated circuits will take more time and money, Bills said.

"All of us in the industry are under tremendous pressure every day because our systems are under constant bombardment," he said.

The lawsuit filed by Chimicles & Tikellis said the Heartland breach suggests that the company "had not implemented (or was not using)" the security controls outlined in PCI DSS. Heartland said it had achieved compliance with the standard.

The company also said it boosted security of its systems after the breach and is installing a program to quickly flag network anomalies. The company said the breach did not affect merchant data or cardholder Social Security numbers, unencrypted personal identification, addresses or phone numbers.

Tags: Identity Theft and Data Security Breaches,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Theft and Data Security Breaches MA 201 CMR 17 enforcement less likely with prompt reporting, cooperation No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Facebook, McAfee partner to fix social network security issues Hacker pleads guilty to orchestrating Heartland credit card heist MasterCard reverses PCI compliance requirement Verizon report goes deep inside data breach investigations Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) CISP-PCI  (SearchFinancialSecurity.com) cookie poisoning  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) extrusion prevention  (SearchSecurity.com) identity theft  (SearchSecurity.com) parameter tampering  (SearchSecurity.com) pretexting  (SearchCIO.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary