Heartland Payment Systems Suffers Data Breach

Heartland Payment Systems Suffers Data Breach
Dave Lewis
Contributor
I write about hackers, breaches and enterprise security.
Follow
May 31, 2015,07:57pm EDT
This article is more than 7 years old.
Heartland Payment Systems suffered a data breach on May 8th that affected their payroll customers. This is unfortunate news when you take into account that they analysts were of a mind that the company would be posting a $0.64 earnings per share. The payroll processing company also has product offerings in loyalty cards, mobile payments and payment processing.

Heartland Payment systems is a company that started in 1997 and has had a bit of a storied history from the perspective of data security. They had the unfortunate title of falling victim to one of the largest data breaches in recent memory. The company suffered a massive attack against their systems in which attackers made off with as many as 100 million debit and credit cards in 2008.

So, in January of this year Heartland made a breach warranty promise:

Heartland Payment Systems is so confident in the security of its payment processing technology that, on Jan. 12, it announced a new breach warranty for its users. The warranty program will reimburse merchants for costs incurred from a data breach that involves the Heartland Secure credit card payment processing system.

Heartland paid out roughly $140 million in fines and other penalties as a result. In the end, a single person went to jail. One Albert Gonzales was arrested and ultimately found guilty in the attack and will spend the better part of 20 years in a federal lock up.

break-in

On May 8, 2015 the company suffered a break-in at their offices in Santa Ana, California. Apparently thieves gained entry to the office and made off with an large number of computers and other materials. In the breach notification there was this line which caught my attention, “Many items, including password protected computers belonging to Heartland were stolen.” This line tells me something that I hope I’m wrong about. This tells me that the systems that were stolen were not encrypted. If they were in fact properly protected the notice would have highlighted that fact in bold print.

From the notice:

We have involved state and federal regulatory and law enforcement agencies to assist us in determining how to proceed with the matter at hand. Heartland continues to monitor the situation carefully and has increased its internal security and review procedures to watch for any unusual activity.

It is unfortunate that the firm has not learned from their very public de-pantsing several years ago. This problem is further highlighted by the fact that one of the systems that was stolen contained social security numbers and banking information. Bad luck that.

The company has engaged with the identity monitoring firm, Kroll, to provide identity theft protection for a year as mandated by law.

Hopefully the systems were simply stolen by criminals looking for a quick dollar. But, in the event that isn’t the case this could get uglier before long. At this point it is unclear how many clients were affected by the theft and hopefully this breach will be little more than a tempest in a tea pot.