Did Heartland Payment Systems' CEO Make Insider Trades?

Jan.30.09 | About: Heartland Payment (HPY)

Heartland CEO Questionable Stock Trades

click to enlarge

Click to enlarge

Heartland Payment Systems (NYSE:HPY) and Federal investigators have released more details about the technical nature of the massive financial data breach made public last week, but have refused to pinpoint the exact date that Heartland first became aware there may have been a problem with their network security.

The date they settle on may well be the difference between market serendipity and an SEC investigation for insider trading, as an examination of stock sales made by Heartland CEO Robert O. Carr in the second half of 2008 raises some serious questions about just who knew what and when in the latest version of the worst-ever information security breach which has now spawned a class action lawsuit.

Federal investigators and the Secret Service have apparently traced the Heartland data breach to sources outside of North America, with some reports indicating Eastern Europe as being the most likely origin of the unauthorized access.

The principles and methods used by the perpetrator(s) have been uncovered, with evidence that is somewhat contradictory in nature, some of which is suspected of being nothing more than red haring planted by the hacker(s) to throw investigators off their trail.

Excerpts from Evan Schuman:

The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa (V) and MasterCard (MA) according to Heartland CFO Robert Baldwin.

“A significant portion of the sophistication of the attack was in the cloaking,” Baldwin said.

Another consultant-who also wanted his name left out-said the ability to write directly to specific disk sectors is frightening. “Somehow, these guys went directly to the base level of the machine (to an area) that was not part of the file table for the disk,” he said. “Somehow, they got around the operating system. That’s a scary mother in and of itself.”

Other industry brains were less impressed. One nationally recognized and certified information security expert who I corresponded with Wednesday evening regarding the breach indicated that the hackers exploited a system weakness that should have been well known to Heartland, for which protocols issued several years ago.

From my email conversation:

“This was an ‘I told you so’ moment for me. I know exactly which part of the process got hit. It was the un-encrypted Point-to-Point connection which occurs between the Host Security Module (HSM) and the Application Security Module (ASM).

“But that means that they had to have had a hole in their firewall to insert the sniffer into unallocated disk space.“

“Now Heartland is crying poor me, and the making it sound like they are heroes by claiming that they are going to ‘develop’ end to end encryption. They should have been using the ISO Banking Security Standards which were promulgated in 2004/2005. They should be expected to uphold the standard.”

It looks as if the techies have already dissected the mechanics of this modern day cyber-cat-burglar, but ten days later we still have no clear idea of how long the sensitive data was exposed or when Carr and other Heartland executives first had an indication that something was not as it should be.

More from Evan Schuman:

Heartland CFO Robert) Baldwin also added more details to the sketchy timeframes that have been revealed thus far about the attacks, specifying that Heartland was contacted by Visa and MasterCard “in very late October,” possibly October 28.

Given that authorities are conducting an investigation, it is understandable that many details will not be released until after an arrest is made, but given the nature of the details that have and have not been revealed, one has to wonder who all is actually under investigation here.

Usually in an on-going criminal investigation, details are withheld from the press and public for many different reasons, but generally it is the mechanistic details of the crime, and often all the press has to report on is the headline and a timestamp.

Oddly enough it is the those details of the crime that have been trickling out that one would not expect - including the suspects possible location - but yet the generalities are being obscured, like what was stolen when did they steal it?

The answer to the latter of the two questions is of particular issue.

If Heartland personnel, and particularly Bob Carr, had absolutely no indication that something was awry with their processing system security until they were alerted by Visa and MasterCard at the end of October, then there is no problem.

Under this scenario, according to the chart above, Carr just happened to be in the middle of a major sell off of Heartland stock unlike any he has ever undertaken before when he found out “late in the fall” about the existence of problems.

It could simply be the case that Carr just happen to decide to sell 80,000 shares of Heartland stock for roughly $1.6 Million a pop on nine separate occasions about every other week in the four month period leading up to the announcement of the breach. These uncharacteristically large and more than frequent liquidations just happen to have occurred while the company was in the middle of an expensive acquisition and expansion of services push, all of course while the credit markets were in total dysfunction.

If on the other hand, company communiqué and records reveal that Heartland knew of possible anomalies in the processing security at the end of August instead of at the end of October, then we have a whole other scenario to apply the data to.

Under this hypothetical situation, Heartland may have discovered problems prior to end of August and may have known it was something serious simply because no one could figure it out. According to the official company statements, this was a difficult intrusion to detect, one that was missed more than once.

Again from Evan Schuman:

The initial internal conclusion was that “it looked most likely that it would be in a certain segment of our processing platform,” said Baldwin, adding that Heartland does not want to identify what that segment was. The company hired a forensic investigation team to come in and focus solely on that one area, an effort that ultimately proved fruitless. “We found issues in a large segment of our processing environment. The one that looked like the most promising turned out to be clean,” he said.

That second team “was nearing conclusion” and was about to make the same assessment the first team did: clean bill of health. But one of the last things that external, qualified risk assessor did was to try and match various temp files with their associated application. When some orphans-.tmp files that couldn’t be matched to any application or the OS-were turned over to Heartland’s internal IT group, they also couldn’t explain them, saying that it was “not in a format we use,” Baldwin said. More investigation ultimately concluded that those temp files were the byproduct of malware, and more searching eventually located the files in the unallocated portions of server disk drives.

So, continuing with the hypothetical scenario, Heartland would have had inside personnel looking for the problem when they get a call of Visa and MasterCard with the friendly heads-up. Heartland could have just not acknowledged the problem until their business partners forced them to.

The end of August is of interest because this is when Carr began to sell of large blocks of stock about every other week, and this was a significantly different trading pattern than Carr had engaged in previously.

If documentation turns up that indicates Heartland knew of serious problems with their network security prior to August 28th, these huge and rapid sell-offs by Carr may look more than suspect to the SEC.

I can not see the strategic value of withholding an accurate timeline of what exactly the company and Carr knew, and when exactly they knew it. But, if it turns out that everything is kosher here and all is as Heartland has indicated so far - which is very little - then I guess I just don’t understand Carr’s trading strategy over the last half of 2008 and how it related to his goals as a CEO for the growth an performance of his company.

They seem to be at odds, but that is no crime, just ask anyone who shorts their own company from time to time. It just needs to be cleared up. Not to worry though, as this is nothing that a solid and well documented timeline won’t be able to take care of (hint hint).

Meanwhile, Heartland’s stock (HPY) bounced back a little Wednesday, but is still trading at nearly half of it’s value prior to the breach announcement.

The data loss debacle at Heartland highlights the fact that the failure to secure information is a growing national security threat, and will be the next major shareholder derivative, director and officer liability, regulatory, consumer product safety, and class-action issue to impact our economy.