Breach, Threat Management, Data Security

Judge dismisses shareholder lawsuit against Heartland


Updated on Thursday, Dec. 10 at 11:05 a.m.

A U.S. District Court judge in New Jersey has tossed out a class-action lawsuit filed by shareholders against Heartland Payment Systems, the credit card processor announced Wednesday.

Judge Anne Thompson granted Heartland's motion to dismiss the action, which was filed in the wake of Heartland's massive breach that was reported earlier this year, according to a company statement. The suit, filed against Heartland, Heartland's Chairman and CEO Bob Carr and its President and Chief Financial Officer Robert Baldwin Jr., was dismissed "with prejudice," which means it cannot be brought back to the courts. 

Thompson said Heartland was not liable because there was no evidence presented that the plaintiffs were not "paying proper attention to its security problems."

"The allegations do not create the impression that there was any kind of widespread concern that Heartland had not adequately addressed the SQL attack," Thompson wrote in the decision. "Therefore, even if there were a handful of lower-level employees who were worried about ongoing problems created by the attack, there is nothing in the complaint that supports an inference that these concerns were ever relayed to any of the defendants."

Carr has told that the intruders burrowed their way into the payment network through a SQL injection vulnerability on a web page.

The complaint was filed in March on behalf of all Heartland shareholders who purchased stock between Aug. 5, 2008 and Feb. 23, 2009. Between those dates, share prices plummeted $21.84 per share.

In the suit, the plaintiffs alleged that Heartland made "false and/or misleading statements, and failed to disclose material adverse facts about the company's business, operations and prospects," according to court filings. The plaintiffs further contended that Heartland's security controls were "inadequate and ineffective."

Heartland revealed the breach on Jan. 20. The company learned of the breach about a week earlier, but hackers had been lifting credit card numbers for some nine months prior.

Heartland still faces significant legal hurdles.

Two separate class-action lawsuits have been filed in the U.S. District Court for the Southern District of Texas, one on behalf of cardholders and the other on behalf of issuing banks and other financial institutions, a Heartland spokeswoman told on Wednesday.

Heartland did not say how many records were compromised in the breach, but some estimates placed the number around 100 million, making it the largest reported data breach in history.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.