Heartland Data Breach: Class Action Suit Filed on Behalf of Banking Institutions

Complaint Seeks to Recover Costs, Damages from Fraud
Heartland Data Breach: Class Action Suit Filed on Behalf of Banking Institutions
One month after the Heartland Payment Systems (HPY) data breach was revealed, a Philadelphia law firm filed a class action lawsuit against the processor on behalf of two banks and three credit unions. The complaint was filed by Chimicles & Tikellis in U.S. District Court in Trenton, NJ on February 20. Heartland Payment Systems data breach coverage

The five institutions named in the complaint are Amalgamated Bank, New York, NY; Matadors Community Credit Union, Chatsworth, CA; GECU, El Paso, TX; MidFlorida Federal Credit Union, Lakeland, FL ;and Farmers State Bank, Marcus, IA. All the institutions say they have had to re-issue "substantial" numbers of credit and debit cards because of the Heartland breach.

Joseph Sauder, the attorney leading the case, says while only five institutions were named in the complaint, "We talked with numerous banks. These five were the ones we selected to present in the complaint."

Although no one has estimated officially how many institutions, cards and consumers might be affected by the breach, more than 500 institutions have stepped forward to tell Information Security Media Group that they have been impacted.

Chimicles & Tikellis also has a consumer class action lawsuit filed against Heartland, filed in the same U.S. District Court in Trenton on January 27.

Seeking to Recover Costs

In the new class action suit, Sauder says the institutions "seek to recover money for the cost of reissuing cards and also for the fraudulent activity that banks and credit unions are ultimately responsible for as a result of this breach, among other things."

Heartland announced on January 20 that its computer systems had been breached by outside hackers sometime in 2008. The processor handled on average 100 million transactions per month for about 175,000 merchants and retail establishments. Heartland only became aware of the breach after it was notified by Visa and MasterCard of "patterns of fraudulent credit card activity," the lawsuit states.

The breach compromised information including debit and credit card numbers, expiration dates and internal bank codes. Many of the institutions that had cards compromised in the breach were forced to re-issue new credit and debit cards to their customers. "Given the large size of the data breach, the expenses associated with doing so are substantial," the complain says, "and include costs for purchasing new plastic debit and credit cards, postage and other mailing expenses, time spent by employees address this issue and harm to reputation and goodwill."

Many institutions have also reported incidents of fraud, the complaint states. It says Heartland's actions "constitute violations of the consumer protection statute of New Jersey," and amounts to a breach of implied contract, negligence, negligent misrepresentation, and common law negligence.

Sauder says he cannot estimate how soon the case may begin or how long it may last. "It's hard to tell at this time, since the case was just filed, as to what Heartland's position is going to be," he says. He adds that more institutions are expected to join the class action suit.

Other Suits

There are at least three consumer class action lawsuits filed against Heartland and three other lawsuits filed in other courts by institutions seeking to recoup their losses and expenses related to the breach:

The Lone Star National Bank, Pharr, TX has filed a lawsuit seeking $50 million in damages against Heartland. The Lone Star case was filed in Texas Southern District Court on February 16.

TriCentury Bank, Simpson, KS filed a lawsuit in New Jersey District Court on February 13 seeking a judgment against the payments processor for breach of contract.

Lone Summit Bank, Lake Lotawana, MO filed a lawsuit in the Fraud or Truth-In-Lending office of the New Jersey District Court on February 6.

The lawsuits against Heartland aren't the only issues the payments processor is confronting. During a conference call reporting Heartland's 2008 fourth quarter earnings on February 24, Heartland President and CFO Bob Baldwin said, "Today, we have had several lawsuits filed against us and we expect that additional lawsuits will be filed. We are also the subject to several governmental investigations and enquiry, including an informal enquiry by the SEC and a related investigation by the Department of Justice, an inquiry by the OCC, and an inquiry by the FTC, and we may, in the future, be subject to other governmental enquiries and investigation."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network