The Agency Insider with Linda McGlasson

Heartland is Indeed the Big Deal

Heartland is Indeed the Big Deal

Well, it is good to finally have a number to go along with the Heartland Payment Systems data breach, and even better that three hackers have been indicted for the crime. Albert Gonzalez, a 28- year-old identified as the lead hacker, faces up to 25 years in prison and a $250,000 fine if convicted.

It was my intuition early when the press announcement came through on the morning of January 20 to say, "Heartland is a major breach -- maybe it will be the big one."

I told co-workers in the office, trying to convince them that this was a "big deal." I researched and found that Heartland stated it processes an average of 100 million credit card transactions each month, so even if it was only for a few days or weeks, I had it figured to "maybe" be bigger than TJX's record breach. After covering that retail breach that ended up totaling 94 million cards, I thought I had seen the biggest card breach of my career.

It seems that everyone I've spoken with since January 20 has posed the same question, "So, do you know how many cards were involved?" Now that the number 130 million is stated, I can definitely say this breach is "The big deal."

The list of financial institutions compiled by Information Security Media Group seems a small number compared to that number of 130 million credit cards. (I can only imagine how many more credit card numbers Gonzalez and his two accomplices would have gotten if Gonzalez hadn't been placed into federal custody on other unrelated hacks in May 2008.)

One thing I want to predict now is that the number of banks and credit unions stepping forward will go up. I hope that they now will be willing to say they too were affected by this data breach. There is strength in numbers.

I've spoken with so many banks and credit unions over the past nine months, I can't keep them all in my head. But some of the questions now to be asked are: Who will pay for the costs incurred for the loss/replacement of the 130 million cards? Who will pay for the fraud caused by the criminals? Ultimately, how will customer confidence in these products be restored, and who will pay for the restoration of confidence?

These are the questions that will be decided in the US District Court in Houston, TX beginning on August 24, when preliminary hearings begin in the class action suits being brought against Heartland by consumers and financial institutions.

Then there is the broader question of PCI compliance: What future changes need to be shaped into the payments industry?

Here is to the hope we that don't see the Heartland breach surpassed before the PCI questions are answered.

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.