Heartland sued as payment processor seeks to encrypt more
Heartland is being sued for its actions both before and since it disclosed last week that organized criminals raided its systems of credit and debit card numbers that potentially belonged to millions of consumers, Benjamin Johns, a lawyer with the Haverford, Pa.-based firm of Chimicles & Tikellis, told SCMagazineUS.com on Thursday.
The suit was filed in federal court in Trenton, N.J. on behalf of Minnesota resident Alicia Cooper and others who may have been similarly victimized, Johns said. Cooper was sent a letter by her bank that her debit card number was stolen in the breach.
The complaint alleges that the Princeton, N.J.-based processor only learned of the breach in October after being notified by Visa and MasterCard of suspicious card transactions, and then took some three months to isolate the malicious activity.
And when it reported the incident, Heartland made "materially misleading statements and omissions," which included failing to note which retailers and how many consumers were affected, in addition to not providing credit monitoring protection for customers.
"They really downplayed the effect of the breach and the consequences it reaps on consumers," said Matthew Schelkopf, another attorney involved in the case.
The lawsuit seeks compensation for victims and assurance that Heartland has corrected its security shortfalls.
A Heartland spokesman told SCMagazineUS.com that the company does not comment on pending litigation.
Meanwhile, this week, Heartland's Chairman and CEO Robert Carr said the company is embarking on an aggressive project to deploy end-to-end encryption across its systems.
"There is no single silver bullet that will secure payment systems, and constant vigilance and monitoring of the infrastructure will always be required," he said. "Nevertheless, I believe the development and deployment of end-to-end encryption will provide us the ability to implement increasing levels of security protection as they become needed."
The breach happened when the hackers were able to embed data-sniffing malware onto an unencrypted segment of Heartland's private network -- controls over which are not mandated under the Payment Card Industry Data Security Standard (PCI DSS).
Gretchen Hellman, vice president of security solutions at encryption provider Vormetric, said organizations should encode their data "wherever they can" to prevent large-scale breaches. But they also must apply other technologies based on their individual environments.
"PCI DSS is a good guideline and checklist for basic controls that an organization needs to have, but to truly secure your information, you need to look at your unique systems, processes and risks," Hellman told SCMagazineUS.com.