Heartland Payment Systems: Breach Bad As Tylenol Poisonings?

Jan.26.09 | About: Heartland Payment (HPY)

Heartland Payment Systems' stock (NYSE:HPY) was hit hard in the wake of what is being described as the biggest single breach of consumer and financial data security ever. The company issued statements Friday (1/23) in an effort at damage control in which the CEO compares the potential industry-wide impact of the breach to none other than that of the Tylenol poisonings of some twenty-five years ago that nearly brought down the drug maker.

Not the kind of association I would want to make for my company, but then it's not my company.

Worse yet, Heartland's press release was crafted with the kind of classic crisis-response-mode denials, deflections, and spin that we have all become so accustomed to in other sectors of the financial industry.

The data loss debacle at Heartland highlights the fact that information security will be the next major shareholder derivative and D&O liability issue, regulatory, consumer, and national security threat, and class-action litigation subject to impact our ailing economy.

Heartland CEO Robert O. Carr's statements do not contain any details of the breach or anything resembling an apology to consumers and shareholders. Instead, Carr gave himself a pat on the back for expanding Heartland's client base in spite of exposing millions of people and hundreds of banks to fraud and losses.

"Despite the headwinds of the economy and attacks by some of our competitors, we have installed new merchants, new payroll clients and new check management clients since our disclosure of the breach on Tuesday morning," Carr stated.

The press release further states "Heartland Payment Systems added more than 400 merchants to its client base in the past few days - exceeding results for the same period from last year."

When Carr does finally address the breach, he seems to imply that the lapse in data security is some kind of validation of Heartland's capacity to respond to threats to its customer base and stakeholders, but only after a breach is uncovered. Carr even managed to sound almost self-congratulatory in the process:

"Our energized organization called on the owners of more than 150,000 business locations these past three days to help them understand the breach and what it means to them. I couldn't be prouder of our entire organization for the way everyone has pulled together to help."

Kudos Heartland? No. The congratulations should instead go to the kind of executives who are proactive enough to make sure that the measures are in place from day one of contract negotiations with the systems and security providers to ensure these kinds of problems never materialize.

As soon as Heartland's stock began to tank in earnest late last week, leadership chose to respond to this breathtaking lapse in security and due diligence by acting first to reassure their clients and shareholders that all was well at the company, even a bit exciting lately - what with the opportunities the new security vulnerability will give those in the payment industry to share ideas with one another.

Now what about that data breach? You know, the whole reason for the press release in the first place? Little was offered in the press release:

"No confidential merchant data, Social Security numbers, unencrypted personal identification numbers [PIN], addresses or telephone numbers were retrieved in what is believed to be a global cyber-fraud operation."

If no critical data was exposed, what's the real problem then? Well, there are many.

First and most obviously is that for an unknown period of time some consumer and merchant data worthy of encryption were exposed to hackers and thieves when the data were briefly unencrypted and encrypted again during processing, according to bankinfosecurity.com.

Card reissue would solve that problem, albeit at some expense to the companies. I say companies (plural) because if Heartland's system was exposed then it can be expected that the same vulnerabilities have been exploited in systems at other companies, perhaps even in other industries with similar data security software and systems.

Hence the scramble by law enforcement [FBI] and the entire financial industry to figure out what happened.

Also of note is a problem that has been at the forefront of information security from the beginning: The bad guys tend to know more than we do about the vulnerabilities in our data systems because it is worth a lot of money to them.

Aside from network audits and professionals who hunt for holes in security systems for a living (some of whom were at one time themselves hackers), most companies find out about information security issues after their networks are breached.

Even though industry leaders can show that they spend hundreds of millions of dollars on cyber-security, more and more resources - time, talent, money, reputation - are all being lost by reacting to threats after the fact.

There has been a marked increase in attempted and successful attacks on corporate, government, and military systems, yet the looming economic realities today are forcing information security executives and IT departments to try to do more protecting at less cost.

This situation poses a threat to the security of what I call our financial identities, which are made up of the ever-accumulating bits of electronic information that increasingly represent the bulk of our identity and net worth, which can disappear in minutes from a sharp dip in the markets, or in the blink of eye with just the click of a mouse.

The economic downturn is further exposing our financial identities to fraud and exploitation from external threats such as criminally intent hackers, as well as from internal threats like budget cuts, cutting corners on security due diligence, or cash-hungry employees who may succumb to the temptation to sell sensitive data in the lucrative information and identity black-markets that thrive on the Internet.

Another big problem is that despite Heartland's assurances, the company understands neither the size nor scope of the breach, let alone how it happened.

"Heartland does not yet know how many card numbers were obtained. Many reports in the press are speculative," the press release states.

Well, there is a lot to speculate about.

Given the financial industry's record of not fully disclosing damaging information to consumers or shareholders, even as required by law, it can be expected that further details of this case will reveal this breach is much worse than anyone is letting on, especially Heartland executives.

Heartland is the sixth-largest payment processor in the country, with as many as a quarter of a million payment and payroll clients, and they may be only one of many similar companies targeted in a broader criminal activity meant to defraud through malicious software known as "malware."

Visa (NYSE:V) and MasterCard (NYSE:MA), who first recognized discrepancies in their own records, notified Heartland of a potential problems late in 2008.

"Visa and Mastercard instructing many card issuers to offer fraud-monitoring protection, replace cards, or do a combination of both for customers whose card purchases were processed by Heartland."

Visa and MasterCard wouldn't elaborate, citing an ongoing FBI criminal investigation.

"Heartland should feel urgency to notify everyone who could be a victim, says Todd Davis, CEO of LifeLock, a fraud-monitoring service. "Victims are sitting naked, not knowing whether to take extra steps to protect themselves," he says. "The default should be toward notifying all possible victims," according to the Detroit Free Press.

Oh yes! The victims of this fiasco - what is on the agenda for them? Heartland's press release instructs them to basically fend for themselves for now, which is a fairly typical response to consumer data breaches.

"Consumers will know if their card account numbers have been used by reviewing their monthly statements. Cardholders should report suspicious activity to their issuing banks (the bank that issued the card, not the card brand). If unauthorized use is confirmed, cardholders are reimbursed for the fraudulent purchases and are not held financially responsible," Heartland assures in their press release.

Sounds painless enough, but I really doubt it will be pain free for those who will have to deal with it.

Not only will this be a tremendously stressful and potentially time consuming endeavor for the affected cardholders, this is also a tremendous drain on the financial resources of an already troubled industry.

Heartland's stock value has lost more than 50% of its twelve-month high. Visa (V) and MasterCard (MA) have seen similar declines. Ultimately, the lawyers will join the fray, multiple lawsuits will be filed, the costs will continue to climb, and shareholder value will continue to decline.

Information and data security are essential to protecting every single individual's financial identity, and every corporation's value from falling prey to the most sophisticated forms of cyber-attack conceivable.

President Obama has indicated he is taking cyber-security very seriously, going so far as to announce the pending appointment of a cyber-advisor to spearhead efforts.

In this age of electronic everything, more than at any other time in history, losing data translates in very real terms to losing dollars, and that is widely accepted across most industries.

Moving forward, we should also start thinking of our financial identities, our investments, our assets, and all of our wealth as really being nothing more than data. Data to be to be kept safely, not lost or stolen.

Carr concluded, "Just as the Tylenol[R] crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data - and therefore businesses and consumers - much more effectively."

If Carr is comparing this breach to the Tylenol poisonings, a textbook commercial and consumer nightmare of epic proportion - including multiple deaths - then you know this breach is going to be something really, really big in the end.

Disclosure: No Position