Breach, Threat Management, Data Security, Security Strategy, Plan, Budget

$12.6 million spent so far to respond to Heartland breach

The chief executive of Heartland Payment Systems said Thursday that the payment processor so far has spent $12.6 million in responding to the massive data breach that was announced in January.

But additional fines, legal fees and the cost of repairing a reputation potentially tarnished by the break-in will cost Heartland millions more, experts told on Friday.

"It's still early to understand everything that's going to impact the final total of what this will cost Heartland," Mike Spinney, senior privacy analyst with the Ponemon Institute research firm, said. "Bottom line, it's going to be a lot more expensive than $12 million."

More than half of the $12.6 million cost is related to a MasterCard fine levied against Heartland's sponsor banks, Chairman and CEO Robert Carr said Thursday during a conference call announcing the company's first-quarter earnings.

The fine, which is passed by the sponsor banks to Heartland, was issued because MasterCard alleged that Heartland failed to take proper actions after it learned of a possible breach and after it disclosed the incident to the public, Carr said, according to a transcript of the call.

"Heartland believes that it responded appropriately to all information that it learned regarding the possibility of the system breach, and that upon discovering the intrusion, it took immediate and extraordinary action to address the intrusion," Carr said.

He said the company cooperated with MasterCard's investigation throughout and that it plans to challenge the fine.

Carr's remarks allude to a forthcoming legal fight from Heartland, which will cost the company additional money, Spinney said. Heartland already is defending itself against at least two lawsuits, including a suit filed in New Jersey that accuses Heartland of failing to protect consumer data.

The processor also will face continued costs of retaining or gaining new merchant clientele, Spinney said.

"If they want to regain the trust of their customers, that's going to cost some money, not only in PR and marketing, but also in increasing their investment in security technologies, procedures and training," Spinney said.

To the technology point, Heartland is "on schedule" to deploy its end-to-end encryption solution, Carr said.

In its call Thursday, Heartland reported first-quarter losses of $2.5 million. The company had profits of $9 million over the same period in 2008. Bob Baldwin, Heartland president and chief financial officer, blamed the results on the dismal economy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.