Lessons from the Data Breach at Heartland

(page 2 of 2)

"Big companies have hundreds of these things, and they think they're not worth worrying about or they're managed by a third party," Tippett says. "Bad guys will go after anything they can knock over."

Executives at Heartland first got an inkling that something may have gone wrong in late October, when Visa (V) said some card issuers reported a possible breach. Heartland hired two forensics companies it hasn't identified. Both scoured the network, but it wasn't until Jan. 12 that one found strange-looking data coming from Heartland's system that let Heartland employees uncover the intrusion.

Heartland's hackers, who have yet to be caught, homed in on financial information. In other cases, criminals go after intellectual property. In a survey of 800 chief information officers in eight countries released in January, security firm McAfee (MFE) found that last year those companies lost a combined $4.6 billion worth of intellectual property and spent about $600 million repairing the damage.

On the morning of Jan. 13, Carr canceled his 8 a.m. Manhattan meeting and departed for Heartland's headquarters, a 90-minute drive south. The company notified the required parties, including the FBI, the Treasury Dept., and the Justice Dept., Carr says.

Stock Plunge

That day Carr called a board meeting and brought together the management team to determine how best to respond to the attack. A big priority: how and when to disclose the breach. Heartland says it couldn't release details until law enforcement officials carried out an initial assessment. That helped push back the announcement until Jan. 20, Inauguration Day for President Barack Obama. Pundits accused Heartland of trying to bury the news. Heartland says it made the announcement "as soon as was practicable."

From there, Carr went about trying to contain the damage. He called a meeting of all 3,109 employees and told them their job was to contact customers to let them know what happened and keep them abreast of efforts to keep information secure. In the ensuing weeks, the company called or visited 150,000 of 250,000 customer locations, Carr says. "We did lose a few hundred customers, but I don't think we lost thousands of customers," he says.

Other losses were substantial. Within days, Heartland's stock price dropped 50%. By Mar. 9, it had plummeted 77.6%. The shares have recovered some ground but are still down 50% since before the breach was announced.

So far, Heartland has recorded $12.6 million in expenses related to the intrusion, including litigation and fees that MasterCard (MA) and Visa assessed against Heartland's sponsor banks. The company faces class actions filed on behalf of financial institutions, cardholders, and stockholders. Debit- and credit-card issuers may be held responsible for customer losses and "have suffered irreparable harm…as a result of deceptive, negligent, and unlawful conduct" by Heartland, according to a class action filed by a number of law firms including Chimicles & Tikellis. Heartland denies the allegations.

In the Heartland case, hackers gathered so-called track data from a card's magnetic stripe that includes the account number and, in some cases, a cardholder name. In all, more than 665 financial institutions have been affected by the exposure of credit and debit cards, according to BankInfoSecurity.com. First National Bank of Omaha has reissued 400,000 debit and credit cards, according to spokesman Kevin Langin. Heartland is working with the Justice Dept. and the Secret Service on the continuing investigation.

Swifter Encryption

Federal agencies including the Federal Trade Commission are looking into Heartland's handling of information security, and the Securities & Exchange Commission has begun an informal inquiry into whether executives unlawfully sold shares amid the crisis. Carr sold Heartland stock in the autumn of 2008 but in a Feb. 24 conference call with analysts said the plan had been previously announced. He also said he had no control over the timing of sales and that he terminated the plan after the company discovered the malware.

To prevent recurrence of breaches, Carr is spearheading an effort to encrypt card data at the point that it's swiped, so that it doesn't travel over networks unencrypted, as is typically the case now. He also co-founded an organization called the Payments Processor Information Sharing Council that encourages companies in the payments industry to share information.

Avivah Litan, an analyst at Gartner, says what's needed is a sweeping overhaul of how payments are handled. "It's a collective problem, it's not just Heartland's problem," she says. "It's Visa's, it's MasterCard's, it's the banks'. … You've got to make some improvements to card technology and cardholder authentication."

She and other analysts credit Carr for his handling of the crisis. "He has come forward and said that this breach has been devastating," says Jay Foley, executive director of the Identity Theft Resource Center. "Too frequently companies will try to stick their head in the sand and try to redirect blame."

King is a writer for BusinessWeek.com in San Francisco.

Business Exchange

Track and share business topics across the Web.