Heartland Payment Systems: Breach Bad As Tylenol Poisonings?

Heartland Payment Systems' stock (HPY) was hit hard in the wake of what is being described as the biggest single breach of consumer and financial data security ever. The company issued statements Friday (1/23) in an effort at damage control in which the CEO compares the potential industry-wide impact of the breach to none other than that of the Tylenol poisonings of some twenty-five years ago that nearly brought down the drug maker.

Not the kind of association I would want to make for my company, but then it's not my company.

Worse yet, Heartland's press release was crafted with the kind of classic crisis-response-mode denials, deflections, and spin that we have all become so accustomed to in other sectors of the financial industry.

The data loss debacle at Heartland highlights the fact that information security will be the next major shareholder derivative and D&O liability issue, regulatory, consumer, and national security threat, and class-action litigation subject to impact our ailing economy.

Heartland CEO Robert O. Carr's statements do not contain any details of the breach or anything resembling an apology to consumers and shareholders. Instead, Carr gave himself a pat on the back for expanding Heartland's client base in spite of exposing millions of people and hundreds of banks to fraud and losses.

"Despite the headwinds of the economy and attacks by some of our competitors, we have installed new merchants, new payroll clients and new check management clients since our disclosure of the breach on Tuesday morning," Carr stated.

The press release further states "Heartland Payment Systems added more than 400 merchants to its client base in the past few days - exceeding results for the same period from last year."

When Carr does finally address the breach, he seems to imply that the lapse in data security is some kind of validation of Heartland's capacity to respond to threats to its customer base and stakeholders, but only after a breach is uncovered. Carr even managed to sound almost self-congratulatory in the process:

"Our energized organization called on the owners of more than 150,000 business locations these past three days to help them understand the breach and what it means to them. I couldn't be prouder of our entire organization for the way everyone has pulled together to help."

Kudos Heartland? No. The congratulations should instead go to the kind of executives who are proactive enough to make sure that the measures are in place from day one of contract negotiations with the systems and security providers to ensure these kinds of problems never materialize.

As soon as Heartland's stock began to tank in earnest late last week, leadership chose to respond to this breathtaking lapse in security and due diligence by acting first to reassure their clients and shareholders that all was well at the company, even a bit exciting lately - what with the opportunities the new security vulnerability will give those in the payment industry to share ideas with one another.

Now what about that data breach? You know, the whole reason for the press release in the first place? Little was offered in the press release:

"No confidential merchant data, Social Security numbers, unencrypted personal identification numbers [PIN], addresses or telephone numbers were retrieved in what is believed to be a global cyber-fraud operation."

If no critical data was exposed, what's the real problem then? Well, there are many.

First and most obviously is that for an unknown period of time some consumer and merchant data worthy of encryption were exposed to hackers and thieves when the data were briefly unencrypted and encrypted again during processing, according to bankinfosecurity.com.

Card reissue would solve that problem, albeit at some expense to the companies. I say companies (plural) because if Heartland's system was exposed then it can be expected that the same vulnerabilities have been exploited in systems at other companies, perhaps even in other industries with similar data security software and systems.

Hence the scramble by law enforcement [FBI] and the entire financial industry to figure out what happened.

Also of note is a problem that has been at the forefront of information security from the beginning: The bad guys tend to know more than we do about the vulnerabilities in our data systems because it is worth a lot of money to them.

Aside from network audits and professionals who hunt for holes in security systems for a living (some of whom were at one time themselves hackers), most companies find out about information security issues after their networks are breached.

Even though industry leaders can show that they spend hundreds of millions of dollars on cyber-security, more and more resources - time, talent, money, reputation - are all being lost by reacting to threats after the fact.

There has been a marked increase in attempted and successful attacks on corporate, government, and military systems, yet the looming economic realities today are forcing information security executives and IT departments to try to do more protecting at less cost.

This situation poses a threat to the security of what I call our financial identities, which are made up of the ever-accumulating bits of electronic information that increasingly represent the bulk of our identity and net worth, which can disappear in minutes from a sharp dip in the markets, or in the blink of eye with just the click of a mouse.

The economic downturn is further exposing our financial identities to fraud and exploitation from external threats such as criminally intent hackers, as well as from internal threats like budget cuts, cutting corners on security due diligence, or cash-hungry employees who may succumb to the temptation to sell sensitive data in the lucrative information and identity black-markets that thrive on the Internet.

Another big problem is that despite Heartland's assurances, the company understands neither the size nor scope of the breach, let alone how it happened.

"Heartland does not yet know how many card numbers were obtained. Many reports in the press are speculative," the press release states.

Well, there is a lot to speculate about.

Given the financial industry's record of not fully disclosing damaging information to consumers or shareholders, even as required by law, it can be expected that further details of this case will reveal this breach is much worse than anyone is letting on, especially Heartland executives.

Heartland is the sixth-largest payment processor in the country, with as many as a quarter of a million payment and payroll clients, and they may be only one of many similar companies targeted in a broader criminal activity meant to defraud through malicious software known as "malware."

Visa (V) and MasterCard (MA), who first recognized discrepancies in their own records, notified Heartland of a potential problems late in 2008.

"Visa and Mastercard instructing many card issuers to offer fraud-monitoring protection, replace cards, or do a combination of both for customers whose card purchases were processed by Heartland."

Visa and MasterCard wouldn't elaborate, citing an ongoing FBI criminal investigation.

"Heartland should feel urgency to notify everyone who could be a victim, says Todd Davis, CEO of LifeLock, a fraud-monitoring service. "Victims are sitting naked, not knowing whether to take extra steps to protect themselves," he says. "The default should be toward notifying all possible victims," according to the Detroit Free Press.

Oh yes! The victims of this fiasco - what is on the agenda for them? Heartland's press release instructs them to basically fend for themselves for now, which is a fairly typical response to consumer data breaches.

"Consumers will know if their card account numbers have been used by reviewing their monthly statements. Cardholders should report suspicious activity to their issuing banks (the bank that issued the card, not the card brand). If unauthorized use is confirmed, cardholders are reimbursed for the fraudulent purchases and are not held financially responsible," Heartland assures in their press release.

Sounds painless enough, but I really doubt it will be pain free for those who will have to deal with it.

Not only will this be a tremendously stressful and potentially time consuming endeavor for the affected cardholders, this is also a tremendous drain on the financial resources of an already troubled industry.

Heartland's stock value has lost more than 50% of its twelve-month high. Visa (V) and MasterCard (MA) have seen similar declines. Ultimately, the lawyers will join the fray, multiple lawsuits will be filed, the costs will continue to climb, and shareholder value will continue to decline.

Information and data security are essential to protecting every single individual's financial identity, and every corporation's value from falling prey to the most sophisticated forms of cyber-attack conceivable.

President Obama has indicated he is taking cyber-security very seriously, going so far as to announce the pending appointment of a cyber-advisor to spearhead efforts.

In this age of electronic everything, more than at any other time in history, losing data translates in very real terms to losing dollars, and that is widely accepted across most industries.

Moving forward, we should also start thinking of our financial identities, our investments, our assets, and all of our wealth as really being nothing more than data. Data to be to be kept safely, not lost or stolen.

Carr concluded, "Just as the Tylenol[R] crisis engendered a whole new packaging standard, our aspiration is to use this recent breach incident to help the payments industry find ways to protect its data - and therefore businesses and consumers - much more effectively."

If Carr is comparing this breach to the Tylenol poisonings, a textbook commercial and consumer nightmare of epic proportion - including multiple deaths - then you know this breach is going to be something really, really big in the end.

Disclosure: No Position

Comments

[John Franks:]

Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. For example: Microsoft patched for this worm 4 months ago. As CIO, I’m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: businessforum.com/DSco... -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome – or propagate one.

Jan 26 07:05 AM

[Eduard Lite...:]

John Frank (right) - why are you posting an advertisement for your book on each and every article I come across regarding Heartland?

Do you really think people don't know that you're actually David Scott? What does your book say about lying to people about your identity to get them to buy your wares?

Jan 26 04:22 PM

[Crabby Tom:]

You should take the time to learn how this industry's disclosure process functions before you attack Bob Carr. Further up the food chain is where disclosure policy eminates. Moreover Mr. Smartguy Knowitall, Carr's reference to the Tylenol case displays his commitment to combating this event with as much visibility as allowed, and with honorable regard for his customers, shareholders, and employees; just as J&J did with the same successful results. Grow up!

Jan 27 06:34 AM

[Orlando Ste...:]

When is a breach notice not a breach notice? Been my experience that the more evasive and self-serving the explanation, the more likely there is more to be explained. Seems these folks are missing informed leadership to help get the issue clearly contained and addressed. Good PR folks can’t fill gaps in poor incident handling preparations, leadership or execution

Feb 01 02:11 AM

[User 348841:]

This is an idiotic analogy. Seven persons *died* in 1982. You even link to the Wikipedia article about the case, but did you bother to read it? Oh, I get you're just trying to make a point. If you were a grown-up in 1982, you might have a different perspective I think; I hope. I was running a crime lab in 1982, nowhere near Chicago, but I assure you, the panic was literally global. If you need an example of a breach bringing down the business, please use CardSystems, not J&J.

Feb 01 09:45 PM

[Anthony M. ...:]

User 348841: "This is an idiotic analogy. Seven persons *died* in 1982. You even link to the Wikipedia article about the case, but did you bother to read it? Oh, I get you're just trying to make a point. If you were a grown-up in 1982, you might have a different perspective I think; I hope. I was running a crime lab in 1982, nowhere near Chicago, but I assure you, the panic was literally global. If you need an example of a breach bringing down the business, please use CardSystems, not J&J."

Excuse, but you are an idiot - it was not me who used the Tylenol Poisonings as an analogy - it was ROBERT CARR!

Read the article befpre you comment so you do not sound like such a tard in your comments...

Feb 02 10:42 AM

[Anthony M. ...:]

Crabby Tom: "Mr. Smartguy Knowitall, Carr's reference to the Tylenol case displays his commitment to combating this event with as much visibility as allowed, and with honorable regard for his customers, shareholders, and employees; just as J&J did with the same successful results. Grow up!"

Mr. Carr's refernce to the Tylenol Poisonings shows that this is a bigger event than has been reported in the press, and needs further examination.

Please see the follow-up article, which includes a response I received from Heartland Reps on Friday:

information-security-r.../

Feb 02 10:46 AM

[jacked:]

no critical data was exposed?
per the letter my bank sent me today...

"We have been provided with a list of credit card numbers by VISA that may have been compromised as a result of the data breach at Heartland Payment, a company that processes debit and credit cards nationwide. Unfortunately your Card ending with **** was on the list.:"

Feb 25 02:30 PM

[Anthony M. ...:]

Tom -

seekingalpha.com/artic...

Yours Truely...


On Jan 27 06:34 AM Crabby Tom wrote:

> You should take the time to learn how this industry's disclosure
> process functions before you attack Bob Carr. Further up the food
> chain is where disclosure policy eminates. Moreover Mr. Smartguy
> Knowitall, Carr's reference to the Tylenol case displays his commitment
> to combating this event with as much visibility as allowed, and with
> honorable regard for his customers, shareholders, and employees;
> just as J&J did with the same successful results. Grow up!

Feb 27 05:57 PM

[The Credit ...:]

As someone who worked for Heartland Payment Systems I can tell you up-close and personal that Bob Carr has build an incredible company dedicated to the merchants protection and servicing the merchants with the highest of standard in the credit card industry. It has and always will be Heartland's found ional truths to put the merchant 1st. This tragedy is how thieves do business in this 21 century world. It could have been any other company in the industry. Breaching Heartland has been a feather in the hat of the thieves because of the security standards Heartland has developed. If I know Bob Carr this is personal. He is sincere and will take this attack as a personal attack on all consumers and will be united in bring the Credit Card Industry together to work collectively not as competitors for the merchants put as protectors keeping ahead of the curve and the bad guys.

The Credit Card Lady

Mar 07 11:47 AM