Heartland Payment Systems, the country’s sixth largest credit card processor, has been hacked in what is being called the worst leak of credit card information ever. For a still undetermined number of weeks late in 2008 a piece of malevolent software in its payment processing system was capturing data from transactions of some or all of the 175,000 merchants for whom it processes credit and debit card charges.
The news came out on January 20, when the attention of most Americans was firmly fixed on the Inauguration. Throughout the following week hundreds of newspaper, trade magazine, and blog articles have been detailing the effects of the breach and speculating on what effect it will have on the company, which has its headquarters on Nassau Street and maintains a satellite office in Carnegie Center.
Information is still being added as ripples from the high-tech theft move across financial institutions and spook their already nervous customers. Day after day, in cities all over the country, banks are announcing that they are issuing new credit and debit cards to their customers to contain the damage — or potential damage. In some cases the banks are linking fraudulent charges to the stolen information. In others, they are being cautious.
Heartland is headed by CEO Robert Carr, who co-founded the company in 1997. Carr, a Princeton resident who was given the New Jersey Preservation Award for renovating Woodrow Wilson’s house, is a frequent speaker on the dangers of credit card theft, a subject on which he addressed the Princeton Chamber of Commerce last August. A philanthropist, he and his wife, Jill, formed the Give Something Back Foundation, which funds college scholarships for disadvantaged children.
Carr appears to have moved quickly to put his own damage control plan into action. Jason Maloni, spokesperson for Heartland, says that the company retained his communications firm, which he declines to name, to help get out its side of the story. “No Social Security information was stolen,” says Maloni. “No addresses, no zip codes, no pin numbers.” The thieves took information encoded on the magnetic strips of debit and credit cards, and in some cases also took the names that go along with that data, the cards’ expiration dates, and bank codes. Having just these pieces “makes identity theft highly unlikely,” says Maloni.
Rare is the merchant who won’t ask for the security code on the back of a card or for the cardholder’s PIN number, he says. Asked about the increasingly common type of small transaction in which a cardholder merely holds his card up to a reader, Maloni says that he is not sure whether these transactions could be affected.
Beyond hiring a communications firm to talk with the media, Heartland went straight to its clients, businesses and merchants — all 175,000 of them — to provide information and reassurance. “We’ve called 150,000,” says Maloni during a phone interview on January 26, “and we’ll reach everyone by today.”
Maloni says that Heartland, which employs 45 people in Princeton and 29,000 worldwide, did not hire any additional employees to make these calls, but rather relied on its own staff. It also set up an information website, www.2008breach.com, and a toll free phone number, 866-399-6228, to field questions from merchants and to give advice to consumers.
Before setting damage control in place, Heartland alerted the Secret Service. “It was the first call they made,” says Maloni, explaining that the Secret Service, best known for protecting presidents, is the arm of the U.S. Treasury Department that is responsible for international data theft.
With the investigation of its security breach in the hands of the Secret Service, Heartland, which has issued statements saying that its security hole has been plugged, is now working at turning attention on the larger issues involved in electronic purchase transactions. Carr is calling for “end to end encryption” of credit card data, a system whereby data would be encrypted at all times, even when it was not being actively used. He is also advocating an open sharing of security issues among all credit card processors. He says that cyber criminals tend to use similar methods, and that his company’s breach might have been prevented had it known about similar breaches at other companies.
Meanwhile, banks from coast to coast are alerting customers, telling them their credit cards may have been compromised, and in some cases informing them that their cards will soon cease to be honored and will be replaced by new cards in 7 or 14 days. All of this costs money, and there is speculation that Heartland may have to foot the bills. Maloni says that he is not sure what the company’s policy will be on reimbursing the banks. “We understand there has been an inconvenience,” he says.
Heartland’s stock lost nearly half of its value in the wake of the breach, sinking from close to $16 a share before the announcement of the breach to $8.43 a share a week later. There could be more bad news to come if the banks that issued the compromised cards, and which generally insure the cards’ users against fraudulent charges, decide to sue Heartland.
Meanwhile, Heartland, through its spokesperson, says that the company’s security system is “as tight as it can be.”
Heartland Payment Systems (HPY), 90 Nassau Street, Second Floor, Princeton 08542; 888-798-3131; fax, 609-683-3815. Robert Carr, CEO. www.heartlandpaymentsystems.com.