1/20/2009 Heartland Payment Systems

130,000,000 financial accounts were compromised
Heartland Payment Systems, a major payment processing company, disclosed a major data breach on its systems that exposed 130 million credit and debit card customers to fraud. HPS processes 100 million payment card transactions per month for 175,000 merchants. Heartland’s president and CFO said that the intruders had access to Heartland’s system for “longer than weeks” in late 2008.

<[ www.securityfocus.com/news/11557 ] www.nytimes.com/2013/02/21/technology/hacking-victims-edge-into-light.html

UPDATE (01/26/2009): Heartland Payment Systems has been sued. The lawsuit seeks damages and relief for the inexplicable delay, questionable timing, and inaccuracies concerning the disclosures with regard to the data breach, which is believed to be the largest in U.S. history.

UPDATE(02/12/2009): According to BankInfoSecurity.com, the number of financial institutions that have come forward to say they have been contacted by their credit card companies Visa and MasterCard in relation to the breach has jumped from fewer than 50 to more than 200.

UPDATE (06/04/2009): While it’s hard to get a handle on just how many consumers were affected by the Heartland Payment Systems (HPY) data breach, the total number of institutions now reporting card compromises is at 656.

UPDATE (06/16/2009): Heartland lawsuits to be heard in Texas. The Judicial Panel on Multidistrict Litigation in Louisville, KY issued its decision to consolidate the class action suits. The lawsuits will be heard in the Southern District Court of Texas in Houston. Thirty-one separate lawsuits, on behalf of consumers, investors, banks and credit unions, have been filed against Princeton,N.J.-based Heartland.

UPDATE (07/06/2009): Heartland Payment Systems successfully completed the first phase of an end-to-end encryption pilot project designed to enhance its security.

UPDATE (08/20/2009): Albert Segvec Gonzalez has been indicted by a federal grand jury in New Jersey – along with two unnamed Russian conspirators – on charges of hacking into Heartland Payment Systems, the New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed national retailers, according to the indictment unsealed Monday. Gonzalez, a former Secret Service informant, is already awaiting trial over his involvement in the TJX hack.Total records breached: 100 million transactions per month. It is unclear how many account numbers have been compromised, and how many are represented by multiple transactions. The number of records breached is an estimate, subject to revision.

UPDATE (08/20/2009): According to the court document, hackers stole more than 130 million credit and debit card numbers from Heartland and Hannaford combined.

UPDATE (05/12/2010): The costs to Heartland Payment Systems Inc. from the massive data breach that it disclosed in January 2009 appear to be steadily adding up. Quarterly financial results released by Heartland last week show that the card payment processor has accrued $139.4 million in breach-related expenses. The figure includes a settlement totaling nearly $60 million with Visa, another of about $3.5 million with American Express and more than $26 million in legal fees. That total also includes $42.8 million that Heartland has set aside to fund proposed settlements with several other litigants over the breach. One example of what the fund is set up for is Heartland’s offer to settle several consumer class action lawsuits against it for four million. So far, Heartland has recovered about $30 million from insurance companies.

UPDATE (06/02/2010): Heartland Payment Systems has made a third settlement deal, this time with MasterCard, related to a massive data breach two years ago at the card payments processor. As part of the deal, Heartland has agreed to pay as much as US$41.1 million to MasterCard issuers that lost money as a result of the data breach. The deal is contingent on financial institutions representing 80 percent of the affected MasterCard accounts accepting the offer by June 25. MasterCard is recommending that issuers accept the offer.

UPDATE (09/01/2010): Heartland Payment Systems has agreed to settle with Discover for five million dollars. Discover will use the money to cover costs of fraud incidents and reissuing cards.

UPDATE (09/19/2010): Jerome Abaquin Gonzales is expected to surrender to police and serve jail time for participating in a credit card forgery ring which used information from the Heartland breach. The information came from the 4.2 million Discover credit card customers who used their cards at Hannaford Brothers.

UPDATE (09/22/2010): Thomas Michio Taniguchi was sentenced to prison for his role in the forgery ring in which Jerome Abaquin Gonzales also participated.

UPDATE (12/07/2011): Heartland legal representatives were able to successfully argue that most of the claims against Heartland that were filed by nine banks should be dismissed. All but one claim was dismissed.

UPDATE(02/12/2012): The nine banks may have had their claims against Heartland dismissed because Heartland reported that sharing a contractual relationship with the banks defeats their appeal. However, the credit-card-issuing banks are arguing that a New Jersey economic loss rule only bars claims for foreseeable economic losses when the parties are in a contractual relationship and does not bar their negligence claim against Heartland.

UPDATE(07/25/2013): Five more foreign hackers were charged for their role in stealing information from Heartland Payment Systems, NASDAQ, Dow Jones, JetBlue, and J.C. Penney.



Return to 2009 details page
Year links page
Return to References page

Links above were active at the time they were gathered. Links shown in non-hypertext (not clickable) are known to be no longer supported on their hosts.