Heartland Data Breach: Class Action Suit Filed on Behalf of Banking InstitutionsComplaint Seeks to Recover Costs, Damages from Fraud
The five institutions named in the complaint are Amalgamated Bank, New York, NY; Matadors Community Credit Union, Chatsworth, CA; GECU, El Paso, TX; MidFlorida Federal Credit Union, Lakeland, FL ;and Farmers State Bank, Marcus, IA. All the institutions say they have had to re-issue "substantial" numbers of credit and debit cards because of the Heartland breach.
Joseph Sauder, the attorney leading the case, says while only five institutions were named in the complaint, "We talked with numerous banks. These five were the ones we selected to present in the complaint."
Although no one has estimated officially how many institutions, cards and consumers might be affected by the breach, more than 500 institutions have stepped forward to tell Information Security Media Group that they have been impacted.
Chimicles & Tikellis also has a consumer class action lawsuit filed against Heartland, filed in the same U.S. District Court in Trenton on January 27.
Seeking to Recover Costs
In the new class action suit, Sauder says the institutions "seek to recover money for the cost of reissuing cards and also for the fraudulent activity that banks and credit unions are ultimately responsible for as a result of this breach, among other things."
Heartland announced on January 20 that its computer systems had been breached by outside hackers sometime in 2008. The processor handled on average 100 million transactions per month for about 175,000 merchants and retail establishments. Heartland only became aware of the breach after it was notified by Visa and MasterCard of "patterns of fraudulent credit card activity," the lawsuit states.
The breach compromised information including debit and credit card numbers, expiration dates and internal bank codes. Many of the institutions that had cards compromised in the breach were forced to re-issue new credit and debit cards to their customers. "Given the large size of the data breach, the expenses associated with doing so are substantial," the complain says, "and include costs for purchasing new plastic debit and credit cards, postage and other mailing expenses, time spent by employees address this issue and harm to reputation and goodwill."
Many institutions have also reported incidents of fraud, the complaint states. It says Heartland's actions "constitute violations of the consumer protection statute of New Jersey," and amounts to a breach of implied contract, negligence, negligent misrepresentation, and common law negligence.
Sauder says he cannot estimate how soon the case may begin or how long it may last. "It's hard to tell at this time, since the case was just filed, as to what Heartland's position is going to be," he says. He adds that more institutions are expected to join the class action suit.
There are at least three consumer class action lawsuits filed against Heartland and three other lawsuits filed in other courts by institutions seeking to recoup their losses and expenses related to the breach:
The lawsuits against Heartland aren't the only issues the payments processor is confronting. During a conference call reporting Heartland's 2008 fourth quarter earnings on February 24, Heartland President and CFO Bob Baldwin said, "Today, we have had several lawsuits filed against us and we expect that additional lawsuits will be filed. We are also the subject to several governmental investigations and enquiry, including an informal enquiry by the SEC and a related investigation by the Department of Justice, an inquiry by the OCC, and an inquiry by the FTC, and we may, in the future, be subject to other governmental enquiries and investigation."