Possibly the most turbulent time in Bob Carr’s professional life began on January 12, 2009, after he and his chief financial officer, Bob Baldwin had spent a day with investment bankers in New York, exploring the possibility of buying a bank.
When he returned to his hotel Carr discovered an urgent message from Heartland’s head of technology in Plano, Texas, who told Carr that the company’s data files, “had been attacked and infiltrated on a devastating scale.” Carr describes the ordeal in his new book, Through the Fires:
It was soon described as the largest security breach in history. Credit and debit card numbers — and information for millions of transactions — could have been exposed. As bad as it is for a retailer like Home Depot or Target or Neiman Marcus to be hit with a breach, it is potentially even more damaging, and damning, when it happens to a transactions company with its access to so many cards and a promise to protect them.
This was a catastrophe. I knew immediately it could mean the end of Heartland . . . Credit card security breaches in corporations are even more common than people realize. While many high-profile breaches have been disclosed, there are many others you don’t hear about. At plenty of companies, online attacks are treated, as a 2013 New York Times article put it, as a dirty secret best kept from customers, shareholders, and competitors.
As the victim of a breach, I believed it was our ethical obligation to disclose it and help others understand what we learned. We saw it as our duty to work with others in the industry to safeguard against cyberthieves.
We even went to our competitors and gave them copies of the malware, the malicious software used in the breach, so they would know how to identify it in case it had been inserted into their own data centers by the bad guys. We told them everything we could about how Heartland had been penetrated, so they could prevent the same attack from happening to them.
Some people have asked: Why would you help your competitors? After all, if one of them suffers a breach, doesn’t that possibly mean more business for you guys at Heartland?
That kind of thinking shows how cynical the corporate culture can become. We are perfectly happy to compete on the basis of delivering the best product and the best service. We don’t want to succeed by having the crooks rob our competitors.
We helped develop an end-to-end encryption technology that scrambles card numbers into a code that cannot be detected by invaders — from the time the card is swiped until the processing of a purchase is entirely complete. We have shared much of this innovative technology with our competitors.
Heartland also took the lead in forming an organization to share tools and information with other companies to combat cyber fraud. It’s called the Payments Processing Information Sharing Council, and it works with law enforcement authorities to combat the hackers . . .
We lost only 2 percent of our customer base due to the breach, a whale of an accomplishment, given the circumstances. I believe that is owed to our salespeople going immediately to our customers and telling them everything . . .
Being straightforward with employees and customers helped us recover in the market and make us even stronger. Our stock, which had plunged to $3.45 came back to nearly $15 per share by the fall of 2009, and before long would more than triple that number.
Bob Carr’s book, “Through the Fires,” can be ordered through his blog, www.robertocarr.com. Proceeds will be donated to the Give Something Back Foundation and the Heartland Cares Foundation.