Heartland Breach: Inside Look at the Plaintiffs' CaseMaster Complaint Details Events Before, During and After the Landmark Breach
Heartland publicly touted its "multiple layers of security," and said it placed "significant emphasis on maintaining a high level of security in order to protect the information of our merchants and their customers," according to the master complaint filed last month in U.S. Southern District Court in Houston. In January, Heartland announced it had been the victim of a data breach that is now recognized as the largest ever reported, impacting more than 130 million consumer credit/debit card accounts.
The complaint represents "everything we know about the Heartland data breach so far," says attorney Richard Coffman, representing the financial institutions suing Heartland for damages. This document lays out for the first time a sequence of events and statements made by Heartland executives about security measures and actions before, during and after the breach.
Heartland representatives did not respond to a request for comment on the contents of the complaint. The processor is expected to file for dismissal of the class action suit by Oct. 23.
Following is a timeline of events highlighted in the master complaint against Heartland.
2006: Merchant Bill of Rights
In 2006, the complaint says, Heartland created the "Merchant Bill of Rights," which the company describes as "an industry standard for fairness, honesty and transparency in credit and debit card processing." According to its website, "[a]t Heartland, we believe you have the right to ... encrypted card numbers and secure transactions ... [and] ... real-time fraud and transaction monitoring."
Heartland stressed the importance of retaining a payment processor that has adequate security measures in place: "No merchant ever wants to have the credit, debit and PIN numbers of its customers stolen by hackers. Hundreds of thousands of attempted hacks are foiled every day by large card transaction processors. It takes layers of state-of-the-art security, technology and techniques to safeguard sensitive credit and debit card account information," states the Merchant Bill of Rights webpage. "Robust security is a must - not an option. Small and mid-sized merchants have the right to encrypted card numbers and secure transactions."
The complaint says Heartland's Bill of Rights was not limited to soliciting business from merchants. Rather, it expressly was designed to assure the public at large that Heartland had adequate security measures in place to protect sensitive financial data.
2007 Pre-Breach: Security Assurances
Both before and after the Data Breach, the complaint says, Heartland assured financial institutions that the sensitive financial information entrusted to the processor was secure. One example given: the last Form 10-K filed with the SEC before the data breach occurred. Heartland made the following affirmative representations concerning its security measures: "Our internal network configuration provides multiple layers of security to isolate our databases from unauthorized access and implements detailed security rules to limit access to all critical systems."
The complaint also says that, pre-breach, Heartland's website touted the company's security measures. For example, in describing an "internally developed, client-server based transaction processing platform" called HPS Exchange, Heartland said: "Cost, security, and reliability - By operating our own data center, Heartland is able to offer benefits that include: Security - Exchange has passed an independent verification process validating compliance with VISA requirements for data security."
Dec. 2007: Breach Began
Beginning at least as early as December 26, 2007, unauthorized persons hacked into Heartland's computer network and gained access to confidential financial data associated with approximately 130 million credit cards and debit cards, according to the complaint.
Visa first alerted Heartland about "suspicious activity surrounding certain cardholder accounts" in late October 2008 - nearly one year later. Heartland's IT team subsequently worked with forensic auditors from the major card brands (Visa, MasterCard, American Express and Discover) to try to match the suspicious transactions to Heartland's processing activities.
Nov. 2008: PCI 'Insufficient'
Heartland executives were "well aware ... that the bare minimum PCI-DSS standards were insufficient to protect it from an attack by sophisticated hackers," the complaint says. On a November 4, 2008 earnings call with analysts, Heartland CEO Robert Carr reportedly said "We also recognize the need to move beyond the lowest common denominator of data security, currently the PCI-DSS standards. We believe it is imperative to move to a higher standard for processing secure transactions, one which we have the ability to implement without waiting for the payments infrastructure to change." Carr's comments confirm that the PCI standards are minimal, and that the actual industry standard for security is much higher, complaint says.
Jan. 2009: Suspicious Files Found
The breach occurred on Heartland's proprietary "Passport" application, used to process credit card and debit card transactions and send payments to merchants. This investigation led to the discovery of "suspicious files" on January 12, 2009. On January 13, 2009, Heartland uncovered "malicious software that apparently had created those files." Robert H.B. Baldwin, Jr., Heartland's President and Chief Financial Officer, reportedly said that the legacy Heartland network on which the breach occurred handles approximately one billion transactions per year.
Jan. 20, 2009: Breach Disclosed
Heartland publicly disclosed the breach on January 20, 2009 - President Obama's inauguration day. In a press release issued that morning, Baldwin stated: "We understand that this incident may be the result of a widespread global cyber fraud operation, and we are cooperating closely with the United States Secret Service and Department of Justice."
Jan. 2009: Breach Aftermath
On the day after the data breach was announced, the complaint says, Heartland conducted a webinar about the data breach for its high-level employees, sales representatives and/or relationship managers. The complaint says Heartland relationship managers were told that "PCI compliance was not a big deal."
One of Heartland's relationship managers resigned on April 23, 2009, in part because of Heartland's statements regarding its PCI compliance, the complaint continues. A Referee's Decision in a Delaware Department of Labor proceeding reached the conclusion that this relationship manager had "good cause" to leave her position at Heartland based, in part, on Heartland's conduct.
March 2009: Heartland Taken off Visa List
After the breach, Visa conducted its own investigation into Heartland's security measures, concluding that Heartland was in violation of the Visa operating regulations. Consequently, on or around March 14, 2009, Visa removed Heartland from its published list of PCI-DSS compliant service providers.
Visa also reportedly put Heartland on probationary status. Under the terms of this probation, Visa subjected Heartland to more stringent security assessments, monitoring and reporting, and levied fines on Heartland's sponsoring banks.
April 2009: Heartland Recertified PCI Compliant
Heartland was recertified as PCI compliant by an auditor in April 2009. But there still is question, the complaint says, whether Heartland was actually in compliance with the PCI standards when the data breach occurred. In a March 19 speech at the Global Security Summit hosted by Visa in Washington D.C., Visa's Chief Enterprise Risk Officer, Ellen Richey, said that the Heartland data breach would not have occurred had the company had been vigilant about maintaining its PCI compliance, observing that "No compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach."
Richey also attributed the data breach to Heartland's lack of ongoing vigilance: "As we've all read, [Heartland] had validated PCI compliance. But it was the lack of ongoing vigilance in maintaining compliance that left the company vulnerable to attack."
May 2009: MasterCard Fines Heartland's Sponsor Banks
Visa was not the only entity to sanction Heartland for its conduct related to the data breach. On a May 7, 2009 earnings call, Carr revealed that MasterCard fined Heartland's sponsor banks, according to the complaint - "ostensibly because of an alleged failure by Heartland to take appropriate action upon having learned that its computer system may have been breached and upon thereafter having discovered the intrusion."
For the first quarter 2009, Heartland took a $12.6 million charge related to "expenses and accruals attributable" to the data breach, including the fines assessed on Heartland's sponsor banks. MasterCard's fine alone reportedly was in excess of $6 million. In a recent SEC filing, Heartland stated that the data breach has cost it $32 million as of June 30, 2009.
August 2009: End-to-End Encryption, Settlement Costs
Heartland is currently in the process of implementing an end-to end encryption process. On an August 4 earnings call with analysts, Carr stated that the company's end-to-end encryption project will offer merchants "the highest level of beta security in the marketplace." And, according to a June 17 press release issued by Heartland, the end-to-end encryption software "will significantly enhance the security of payment card information throughout the processing lifecycle."
Carr also stated on the same call that Heartland had incurred $19.4 million in costs related to the breach for the second quarter 2009, the majority of which relate to "a settlement offer we made in an attempt to resolve certain of the processing system intrusion claims." Carr, however, did not disclose to whom Heartland had extended the settlement offer.
August 2009: Hackers Indicted
The U.S. Department of Justice secured an indictment on August 17 in New Jersey against three individuals connected to the Heartland data breach. One of the indicted defendants is Albert Gonzalez, who was also involved in the TJX data breach. The other two accused persons reside in Russia. The indictment alleges that between approximately October 2006 and May 2008, the defendants conspired to hack into the computer networks of Heartland and other companies in order to steal credit card and debit card numbers. Once obtained, the data was allegedly broken into batches suitable for wholesale distribution over the Internet, and offered for sale.
After hacking into the networks via an "SQL Injection Attack," the co-conspirators installed sniffer programs that captured credit card and debit card numbers on a real-time basis as they moved through the networks. The co-conspirators also allegedly placed unique malware, called "back doors," on the hacked networks that permitted them to re-access the networks at a later date. The co-conspirators concealed their efforts to hack into computer networks by programming the malware to evade detection by anti-virus software, and erase computer files that would otherwise evidence their unauthorized presence on the networks.
Post-Breach Behavior: 'Cavalier'
For what has been described as potentially the "largest data breach ever" - and which undisputedly includes sensitive financial and banking information - Heartland has publicly taken a cavalier approach regarding the data breach, according to the complaint. It cites a January 2009 article in The Washington Post, where Baldwin said: "The nature of the [breach] is such that card-not-present transactions are actually quite difficult for the bad guys to do because one piece of information we know they did not get was an address." As a result, he said, the prospect of thieves using the stolen data to rack up massive amounts of fraud at online merchants "is not impossible, but much less likely."
Many states have laws that require entities to promptly notify affected consumers when their sensitive financial data is compromised in a data breach. The complaint says Heartland has not provided any individualized notice (other than in its press releases and websites) to any consumers who were affected by the data breach. Instead, the complaint says, Heartland has effectively shifted this obligation (and substantial expense and time associated therewith) to the financial institutions, which have re-issued compromised credit cards and/or debit cards to consumers, as well as absorbing millions of dollars of unauthorized charges, expenses and losses.
The complaint concludes that Heartland should have taken several measures that might have prevented the breach. Quoting Baldwin in an interview conducted immediately after the breach: "There are a host of things we didn't go into that we're implementing, some larger, some smaller, all of which are designed to say, 'OK, we had a commitment to high security. We were PCI compliant -- that was certified in April of last year. Yet we had this problem. Clearly we need to do more.' So our IT team is implementing as many additional precautions as it can as quickly as possible."