Heartland is Indeed the Big Deal
It was my intuition early when the press announcement came through on the morning of January 20 to say, "Heartland is a major breach -- maybe it will be the big one."
I told co-workers in the office, trying to convince them that this was a "big deal." I researched and found that Heartland stated it processes an average of 100 million credit card transactions each month, so even if it was only for a few days or weeks, I had it figured to "maybe" be bigger than TJX's record breach. After covering that retail breach that ended up totaling 94 million cards, I thought I had seen the biggest card breach of my career.
It seems that everyone I've spoken with since January 20 has posed the same question, "So, do you know how many cards were involved?"
It seems that everyone I've spoken with since January 20 has posed the same question, "So, do you know how many cards were involved?" Now that the number 130 million is stated, I can definitely say this breach is "The big deal."
The list of financial institutions compiled by Information Security Media Group seems a small number compared to that number of 130 million credit cards. (I can only imagine how many more credit card numbers Gonzalez and his two accomplices would have gotten if Gonzalez hadn't been placed into federal custody on other unrelated hacks in May 2008.)
One thing I want to predict now is that the number of banks and credit unions stepping forward will go up. I hope that they now will be willing to say they too were affected by this data breach. There is strength in numbers.
I've spoken with so many banks and credit unions over the past nine months, I can't keep them all in my head. But some of the questions now to be asked are: Who will pay for the costs incurred for the loss/replacement of the 130 million cards? Who will pay for the fraud caused by the criminals? Ultimately, how will customer confidence in these products be restored, and who will pay for the restoration of confidence?
These are the questions that will be decided in the US District Court in Houston, TX beginning on August 24, when preliminary hearings begin in the class action suits being brought against Heartland by consumers and financial institutions.
Then there is the broader question of PCI compliance: What future changes need to be shaped into the payments industry?
Here is to the hope we that don't see the Heartland breach surpassed before the PCI questions are answered.