A Tale of Two Breaches
What Heartland's Story Says About Global Payments' FutureIt's major news: A payments processor is breached, fraud alerts are circulated, security standards are questioned, and banking institutions are left to monitor for signs of financial fraud.
See Also: Gartner Market Guide for DFIR Retainer Services
That summary describes the Global Payments Inc. breach, which has captured this week's headlines. But it also summarizes the Heartland Payment Systems breach, which was the major news story of 2009.
Heartland, like Global, is a U.S.-based payments processor. Its breach, revealed in January 2009, impacted an estimated 130 million payment cards and remains the benchmark case for financial cybercrime.
And, more than anyone, Heartland's executives know how long and winding the road to breach recovery can be.
"It's going to be a fairly long process," says Steve Elefant, the former chief information officer at Heartland who now serves on the counsel team at The Strawhecker Group. "The most important thing right now is plugging the hole and getting compliant again with PCI."
For Heartland, recovery to compliance was a Herculean effort. "I'm sure it will be the same for Global," Elefant says.
But PCI compliance is just a piece of the breach-recovery puzzle. A look back on the Heartland story indicates what we might expect to see as the Global Payments incident unfolds.
Heartland, Global Comparison
Upon first look, there are several similarities between the two breached processors.
Heartland and Global both rank among the nation's top 10 merchant acquirers. In 2011, Princeton, N.J.-based Heartland ranked No. 6, according to the Nilson Report, a trade newsletter on the payments industry. Meanwhile, Atlanta-based Global Payments ranked No. 7.
Heartland revealed its breach on Jan. 20, 2009. The processor later discovered the breach had begun 18 months earlier. Over the course of the year-and-a-half exposure, data on an estimated 130 million debit and credit cards were exposed.
The company's investigation with law enforcement traced the hack back to Albert Gonzalez, a cybermastermind who, between 2003 and 2008, collected $2.8 million from card fraud linked to breaches of Heartland, TJX, Hannaford Brothers and 7-Eleven. In March 2010, Gonzalez was sentenced to 20 years in prison for his cybercrimes, the longest sentence at the time handed down for computer crime in a U.S. court.
On April 1, Global Payments said it discovered its breach sometime around March 9, after internal fraud-detection systems picked up on anomalous activity. Global said an internal investigation linked the breach to a single server, and that only non-personally identifiable information, such as card number and expiration date, was exposed. So far, the company says the exposure was contained to 1.5 million cards issued in North America.
After the breach at Heartland was discovered, Visa removed the processor from its PCI-compliant service providers list. Six weeks later, Heartland's favorable PCI standing was reinstated.
On April 2, during an investors' call/press conference, Global Payments CEO Paul Garcia announced that Visa had just revoked Global's favorable PCI standing.
Heartland's Rough Road
For Heartland, the months following the breach announcement were filled with internal and external security and compliance checks and a sea of legal disputes with banks, credit unions, cardholders and shareholders.
Hundreds of banks and credit unions were hit by fraud linked to the breach, and the expenses associated with card reissuance and financial losses ultimately led to a number of lawsuits against Heartland, including a multi-institution suit that in December 2011 was dismissed.
In September 2009, Heartland executives had to appear before the U.S. Senate to explain how its breach went undetected for more than a year.
In May 2010, a consumer suit, which was later dismissed, sought a settlement of $4 million. And in December 2009, a shareholder suit brought against the processor also was dismissed.
"Many of those were frivolous," Elefant says, "because the brands protect the issuers, and cardholders are not really affected at all beyond having to use a new card."
Most of the other legal disputes were settled out of court - and were costly. Among them:
- In December 2009, Heartland and American Express settled for $3.6 million;
- In January 2010, Heartland settled with Visa for $60 million;
- In May 2010, it settled with MasterCard for $41.4 million ;
- In September 2010, it settled with Discover for $5 million.
What Global Can Expect
Now, as Global Payments anticipates what its future will look like, it has some advantages over Heartland. For one, the breach appears to be much smaller.
"Heartland was 100 million cards; this breach at Global is a fraction of that," Elefant says. "No breach is good, but this one is much smaller." The containment of the breach will likely bode well for Global, and will likely carry fewer penalties.
From a legal perspective, Global is likely to face fewer lawsuits, too, says IT security and privacy lawyer David Navetta.
"Looking at the case law, you would have expected more lawsuits in Heartland, if [plaintiffs] thought they could win," he says. "Most issuing banks, unless they've lost a ton of money, are not excited to file lawsuits; so they're probably going to rely on Visa and MasterCard and the other card brands to get their funds recovered."
With Heartland, individual institutions filed suits because the losses were so great. Because Visa and MasterCard do not reimburse losses dollar for dollar, some issuers went after Heartland. But those efforts were, for the most part, fruitless. Given the fewer number of cards breached in the Global incident, most banking institutions aren't likely to pursue direct legal action, Navetta says.
Then, there's the whole settlement issue with the card brands. Navetta estimates it could be several months to a year before any settlements with the card brands are announced.
"We're at the beginning of this process, and we're still trying to figure out what's going on," he says. "Stopping the bleeding is really what's happening right now; and determining if they were negligent on some level. Even on the merchant side, it could take months to figure out what Visa and MasterCard are finding."
For now, Global needs to focus on getting back into PCI compliance and on wrapping up its breach investigation. The investigation will likely take a year to complete. Until it's completed, the details surrounding the breach could remain sketchy. "It will be tied to the investigation, and until that's finished, it's really a wild card in terms of what could happen from a legal standpoint," Navetta says.
The good news - based on Heartland's example - is that Global can use this incident as a rallying point for positive action. Immediately following its breach, Heartland and its CEO became vocal proponents of improved payments security via end-to-end encryption. The image change took time, but ultimately, public perception of Heartland improved because of the action the processor took in the wake of the breach.
"I think, frankly, that we were the leaders in getting that discussion rolling at the level it's been conducted at, and I'm very proud we've taken that role," said Heartland CEO Bob Carr in a 2010 interview with BankInfoSecurity. "It makes me feel we've taken this situation and made a positive out of it, as much as that's possible."
Associate Editor Jeffrey Roman contributed to this story.