Heartland Breach: Claims Dismissed

Court Denies Compensation to Institutions
Heartland Breach: Claims Dismissed
A U.S. District Judge has ruled to dismiss the majority of claims included in a multi-institution suit against Heartland Payment Systems, which in 2008 was hacked, ultimately compromising 130 million U.S. debit and credit cards.

The Heartland breach, announced in January 2009, was the first card processor breach to attract international attention. A multiparty complaint against Heartland ultimately resulted, after the Judicial Panel on Multidistrict Litigation consolidated individual suits filed by consumers and U.S. banking institutions seeking financial compensation for losses suffered as a result of systems breach.

But earlier this month, after more than two years of litigation, District Judge Lee Rosenthal dismissed the majority of those claims, saying the plaintiffs failed "to state a claim upon which relief can be granted."

One exception, however, was noted in Rosenthal's ruling. A violation of the Florida Deceptive and Unfair Trade Practices Act claimed in one of the banking institution suits may be amended. Rosenthal found that the banks' and credit unions' claim could be heard if amended to include more than one state's law and inclusion of more specific details about alleged contractual violations.

Heartland argued the claim must be dismissed "because only consumers, as the word is traditionally used, may assert claims under the FDUTPA."

If amended, the institutions have until Dec. 23 to file their revised complaint. A status conference has already been set for Jan. 13.

Albert Gonzalez and two unknown Russians were linked to the Heartland breach. Gonzalez was convicted and received a 20-year sentence for his involvement. [See: Heartland Hacker Sentenced to 20 Years]

Gonzalez' crimes cost companies, banks and insurers nearly $200 million, according to the Department of Justice. Thousands of financial institutions reported losses associated with the Heartland breach, including M&T Bank, Citi and HSBC. Heartland later settled with major card brands, including Visa, for $60 million, Discover, for $5 million, and MasterCard, for $41.4 million. But litigation stemming from losses suffered by card issuers lingered.

Plaintiffs' suits against Heartland claimed the data breach resulted from Heartland's failure to follow the PCI Data Security Standard.

Jeffrey Roman contributed to this article.


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network