At the Heart of the Data Breach(es)

Tom Field (SecurityEditor) • March 5, 2009

But I do know this: For anyone who wants to know exactly what the Heartland Payment Systems (HPY) data breach - or any such incident - really means, here's what I'll tell them. This is an excerpt from a note I received a couple of weeks back from a bank customer:

"I am just a customer with XXX bank here in the Midwest. And I just discovered today that $500 was taken out of my account yesterday. Someone charged $250 twice at a Macy's East in New York and attempted another $200 and it was refused. This is what the bank teller told me. They have cancelled my and my husband's debit cards and are working to get the $500 back.

All that matters is that a bank customer lost $500 to fraud, doesn't understand why, and wonders what her bank is going to do about it.

"We are just plain, hardworking Midwesterners and are shocked and bewildered how this happened. We've never been to New York, and we never left the county yesterday! I had also been issued a new debit card about a month or so ago and had just stuck it in the safe because my other card was still fairly new, although they were two different numbers. The debit card number that was used never left the safe, so I'm pretty darn sure that it was compromised electronically and most likely with Heartland.

"The gal at the bank wasn't sure if Heartland was involved or not. I just wish I'd been notified to watch for this earlier. The bank teller alluded that there have been several other bank customers that have had strange charges, but I think it's just beginning to show up. I've been researching this whole breach thing on the net and wonder why the media hasn't really got involved with this. I've been doing my own notifying today via email telling friends and family members to check their debit/credit accounts for fraud.

"I'm not sure if I can be much help to you, but since my bank isn't on the list and I've definitely had some fraud done with my account, I thought I'd let you know.

"Thanks for at least letting me vent."

Well, thanks for taking the time to vent and to give us all a little bit of perspective.

Y'see, it doesn't matter whether the fraud referenced above was connected to Heartland or a payment-processor-to-be-named-later. It doesn't even matter so much how the fraud occurred and what the card-issuing bank did/did not do as a result of it.

All that matters is that a bank customer lost $500, doesn't understand why, and wonders what her bank is going to do about it.

To me, this just cuts to the heart of these data breaches. They aren't about encryption and hackers and intrusion detection systems. They're about trust, as banking always is, and they're about customers - people - having that trust violated.

There have been some great questions raised in the wake of the Heartland breach. What exactly happened? How did it happen? How many banks, credit unions and customers were affected? What can we do to prevent such breaches from occurring in the future?

But to me the ultimate question is: What are we going to do to regain our customers' trust?

I'd be curious to hear your answers.