« Guest Author: Jeffry Pilcher of The Financial Brand | Main | UPDATE: Today's the day to be "two people" »

February 03, 2009

The Heartland Hack is Still a Problem...a HUGE Problem.


by Ron Daly 

When I was a hard working CFO at a large CU a few years back, the card operations department reported to me. 

I've been down the road of having to block and reissue a compromised merchant database a time or two. There's never a "best case scenario" of a compromised database. The best case scenario is it doesn't happen. But I've had small breaks (80 member accounts affected) and fairly big breaks (400 member accounts affected). There's the estimated ~$15 you spend reissuing cards and closing accounts. And then there's the ~$10 you spend on credit monitoring on the accounts. That's ~$25 per account, so at worst it's about $10,000 that I've had to account for after a breach. And that's why, recently, there's a thought that's been troubling me.

The thought that the breach of Heartland Payment Systems has the potential to affect up to 100 million accounts. Click here for the CU Journal article

100 million! One. Hundred. Million. I'm hoping the math makes sense for you here, because 100 million times $25 equals $2.5 BILLION. In losses and monitoring and trouble and waste.

Is that not staggering? And get this: the attack that caused all of this was only discovered a month or so ago. It could have happened, according to the first article above, as long as six months ago. Half a year, someone was there with their hands in the cookie jar and it was just recently uncovered. 

This InformationWeek article (click here) explains that security breaches cost financial institutions $6.6 million on average last year. They also mentioned that Heartland has looked into "accelerating its effort to deploy end-to-end encryption to protect its transaction data". Seems to me that kind of protection should have been put in place when they knew there'd be 100 million accounts at stake. An ounce of prevention versus a pound of cure.

Maybe it just bothers me because I'm an old numbers guy. I see a number like 100 million, like $6.6 million, like $2.5 billion, and I think "make this system untouchable by any means necessary". Hopefully, this latest breach is not the type I'm referring to and it's just a wake-up call!

Thoughts? Opinions? Objections? I'm open to other ways of thinking. Comment away.


TrackBack URL for this entry:

Listed below are links to weblogs that reference The Heartland Hack is Still a Problem...a HUGE Problem.:


Feed You can follow this conversation by subscribing to the comment feed for this post.

Agreed, they should have had those encryption regulations/standards in place already. It's sad but I've sort of become numb to amounts of money listed in the millions and billions. Those amounts are so out of my ability to comprehend and we hear about million/billion dollar losses and bailouts every single day. It's sort of like becoming numb to violence from watching too many violent movies...

You're right, that number is staggering... but the cleanup costs along are going to be unreal. Canadian Tire has already cancelled/re-issued all of their customers that were potentially affected. Who's next? Will the class-action lawsuit succeed?

On another note, SRA Int'l was also "hacked", so to speak by malware. What you'll find odd if you dig into the news a little is that they both claim that their virus-software didn't detect the malware... interesting right? 0day/custom malware you think? I suspect that things will only get worse, now that the economy is poor. I've written about this exhaustively on my blog, and continue to follow it. You're welcome to read on.

Visa announced on Friday, March 13, 2009 that Heartland has been removed from its PCI compliant list (almost 2 months after announcement) - yet Heartland continues to "on board" new merchants. New merchants who are still accepting our members plastic! Ready for a Heartland Take Two?


Ever wondered why it took Heartland (and Visa) so long to announce the breach? Perhaps, insiders needed time to liquidate thier stock positions?

S. Butterfield

The comments to this entry are closed.