Lessons from the Data Breach at Heartland
Robert Carr was settling in for the evening in a New York hotel on Jan. 12 this year when at 10:30 p.m. he got a phone call that every financial services executive dreads. Carr, CEO of Heartland Payment Systems (HPY), learned that intruders might have hacked into the company's computer network.
The next morning, his fears were confirmed. For a period starting in May 2008, cybercriminals had burrowed deeply into Heartland's network and recorded consumers' credit- and debit-card data. "That's the worst thing that can happen to a payments company and it happened to us," says Carr.
Heartland, the fifth-biggest payments processor in the U.S., had suffered what within days would be called the largest-ever criminal breach of card data. Security experts estimate that as many as 100 million cards issued by more than 650 financial services companies may have been compromised. Heartland faces class actions and inquiries by federal regulators over the matter.
Not Keeping Mum
The attack on Heartland, responsible for handling the transfer of funds and information between retailers and cardholders' financial institutions, reflects an upswing in the number of information breaches as hackers get more sophisticated in invading corporate data networks. More electronic records were breached in 2008 than the previous four years combined, according to a report by Verizon Business (VZ) released on Apr. 15.
The intrusions not only put consumer or corporate data at risk but can also exact a high financial and public-relations toll on the companies whose systems are hacked. The TJX Companies (TJX), which operates retailers including T.J. Maxx and Marshalls, has said it incurred costs of more than $171 million related to an intrusion discovered in 2006 that resulted in the compromise of tens of millions of accounts. Costs for the average company are lower, about $6.65 million, according to a January survey by the Ponemon Institute.
Unlike peers who tend to stay mum on security breaches, Carr has gone public with Heartland's story to encourage companies to share information about attacks and band together against cybercriminals who themselves are becoming better organized. He has divulged parts of the story previously but went into extensive detail in an interview with BusinessWeek.com.
The Heartland intrusion began in May 2008, even though the company had passed multiple audits, including one conducted on Apr. 30. At the time, the Princeton (N.J.) company was in compliance with industry standards for data security, Carr says. Still, shortly afterward, 13 pieces of malware that capitalize on weaknesses in Microsoft (MSFT) software infiltrated one or more network servers. "We get pinged 200,000 times per day by people trying to hack into our system," Carr says. "You do everything you can to make sure one of those pings doesn't get through, and we thought we had done everything we could do."
Finding the Weak Link
While Heartland may have tried to cover all its bases, other companies commonly focus on what they think are the most critical servers and neglect ones that seem less important, such as those that manage heating, venting, and air conditioning, says Peter Tippett, vice-president for technology and innovation at Verizon Business.
"Big companies have hundreds of these things, and they think they're not worth worrying about or they're managed by a third party," Tippett says. "Bad guys will go after anything they can knock over."
Executives at Heartland first got an inkling that something may have gone wrong in late October, when Visa (V) said some card issuers reported a possible breach. Heartland hired two forensics companies it hasn't identified. Both scoured the network, but it wasn't until Jan. 12 that one found strange-looking data coming from Heartland's system that let Heartland employees uncover the intrusion.
Heartland's hackers, who have yet to be caught, homed in on financial information. In other cases, criminals go after intellectual property. In a survey of 800 chief information officers in eight countries released in January, security firm McAfee (MFE) found that last year those companies lost a combined $4.6 billion worth of intellectual property and spent about $600 million repairing the damage.
On the morning of Jan. 13, Carr canceled his 8 a.m. Manhattan meeting and departed for Heartland's headquarters, a 90-minute drive south. The company notified the required parties, including the FBI, the Treasury Dept., and the Justice Dept., Carr says.
That day Carr called a board meeting and brought together the management team to determine how best to respond to the attack. A big priority: how and when to disclose the breach. Heartland says it couldn't release details until law enforcement officials carried out an initial assessment. That helped push back the announcement until Jan. 20, Inauguration Day for President Barack Obama. Pundits accused Heartland of trying to bury the news. Heartland says it made the announcement "as soon as was practicable."
From there, Carr went about trying to contain the damage. He called a meeting of all 3,109 employees and told them their job was to contact customers to let them know what happened and keep them abreast of efforts to keep information secure. In the ensuing weeks, the company called or visited 150,000 of 250,000 customer locations, Carr says. "We did lose a few hundred customers, but I don't think we lost thousands of customers," he says.
Other losses were substantial. Within days, Heartland's stock price dropped 50%. By Mar. 9, it had plummeted 77.6%. The shares have recovered some ground but are still down 50% since before the breach was announced.
So far, Heartland has recorded $12.6 million in expenses related to the intrusion, including litigation and fees that MasterCard (MA) and Visa assessed against Heartland's sponsor banks. The company faces class actions filed on behalf of financial institutions, cardholders, and stockholders. Debit- and credit-card issuers may be held responsible for customer losses and "have suffered irreparable harm…as a result of deceptive, negligent, and unlawful conduct" by Heartland, according to a class action filed by a number of law firms including Chimicles & Tikellis. Heartland denies the allegations.
In the Heartland case, hackers gathered so-called track data from a card's magnetic stripe that includes the account number and, in some cases, a cardholder name. In all, more than 665 financial institutions have been affected by the exposure of credit and debit cards, according to BankInfoSecurity.com. First National Bank of Omaha has reissued 400,000 debit and credit cards, according to spokesman Kevin Langin. Heartland is working with the Justice Dept. and the Secret Service on the continuing investigation.
Federal agencies including the Federal Trade Commission are looking into Heartland's handling of information security, and the Securities & Exchange Commission has begun an informal inquiry into whether executives unlawfully sold shares amid the crisis. Carr sold Heartland stock in the autumn of 2008 but in a Feb. 24 conference call with analysts said the plan had been previously announced. He also said he had no control over the timing of sales and that he terminated the plan after the company discovered the malware.
To prevent recurrence of breaches, Carr is spearheading an effort to encrypt card data at the point that it's swiped, so that it doesn't travel over networks unencrypted, as is typically the case now. He also co-founded an organization called the Payments Processor Information Sharing Council that encourages companies in the payments industry to share information.
Avivah Litan, an analyst at Gartner, says what's needed is a sweeping overhaul of how payments are handled. "It's a collective problem, it's not just Heartland's problem," she says. "It's Visa's, it's MasterCard's, it's the banks'. … You've got to make some improvements to card technology and cardholder authentication."
She and other analysts credit Carr for his handling of the crisis. "He has come forward and said that this breach has been devastating," says Jay Foley, executive director of the Identity Theft Resource Center. "Too frequently companies will try to stick their head in the sand and try to redirect blame."