Computerworld is reporting that Heartland Payment Systems' recent quarterly financial filing revealed that the credit card payment processor's expenses related to their 2008 breach of 130 million credit cards have risen to $139.4 million.
This is a far cry from the $12 million CEO Bob Carr said was the appropriate amount to set aside in December 2009 when he settled with American Express for $3.6 million. In January 2010, just one month later, Heartland settled for $60 million with Visa.
The Computerworld article also reports that a recent Ponemon Institute study shows that the average cost per security breach in the U.S. rose to $6.75 million. The "per record' cost is averaging $204.
First, while not to invalidate, or even question, the results of this study, I would like to point out that it was sponsored
by PGP Corporation (being acquired by Symantec).
Second, I am not a big fan of averages. See the Flaw of Averages by Sam Savage of Stanford. The point being that you cannot use the average when calculating your risk of the cost of a breach. And Heartland's costs make the point.
The IDG News Service is reporting:
Hacker mastermind Albert Gonzalez was sentenced Thursday in U.S.
District Court to two concurrent 20-year stints in prison for his role
in what prosecutors called the "unparalleled" theft of millions of
credit card numbers from major U.S. retailers.
The retailers who suffered breaches were TJX, Office Max, DSW, and Dave & Buster's. Gonzalez was also involved in the well known breaches at Heartland Payment Systems, Hannaford Supermarkets and 7-Eleven chains.
I applaud the stiff sentence, but I don't think this will have much effect on reducing cyber crime for two reasons:
- The percentage of cyber criminals who are caught is very low.
- Much of the activity now is coming from parts of the world where getting cooperation from local governments is difficult. In fact, some believe the governments are abetting the criminals.
Read more of the details here.
Heartland Payment Systems has agreed to pay up to $60 million to Visa and Visa Issuing banks for its 2008 breach of over 130 million credit card data. The press release offers very little in the way of details and simply says, "Visa will present the details of the settlement in coming days."
A key question is whether this settlement includes the issuing banks' costs for reissuing cards or just losses due to actual card fraud directly related to the illegal use of the stolen card data.
Recently, issuing credit card unions and their insurance company lost a lawsuit they filed against BJ's and its acquiring bank, Fifth Third, for losses they incurred which resulted from BJ's 2004 breach. The key difference with this settlement is that Visa was directly involved in the negotiations. If Visa were to terminate Heartland's Visa card processing contract, it could be an existential blow to Heartland.
The amount of this settlement blows well past the $12 million CEO Bob Carr said Heartland set aside when he announced the $3.6 million settlement with American Express. Of course, it may be years before we know (if we ever find out) exactly how much Heartland actually has to pay.
Let the payments begin. Heartland Payment Systems settled the lawsuit brought by American Express due to Heartland's 2008 breach of 130 million credit cards (which I wrote about here) for $3.6 million. There are still many more lawsuits outstanding including Visa and MasterCard which no doubt represent the majority of the credit cards stolen.
The article quotes Heartland CEO, Bob Carr, as saying that Heartland "has set aside $12.6 million to charges related to the hack." I find this number to be a gross underestimation considering that TJX believes its breach will cost $250 million as reported here, here, and here.
The first adjudicated lawsuit against the executives of Heartland Payment Systems went in favor of the defense.
As I am sure you aware, Heartland Payment Systems is embroiled in countless lawsuits as a result of the disclosure it had to make in January 2009 of a breach of over 130 million credit card numbers. It is considered the largest breach of credit card data in history.
A class action shareholder lawsuit filed against the executives of Heartland was dismissed earlier this month by Judge Anne Thompson of the U.S. District Court of New Jersey on the basis that the executives' claim that they took security seriously was not a lie. Here is the actual opinion.here.
Gene Schultz weighed in with a thoughtful opinion here.
While I am no lawyer, it seems to me that this lawsuit was very narrowly focused and based on my reading of the opinion, it's hard to see how the judge could have found for the plaintiff.
A lawsuit that would bring out the emails and memos associated with a variety of compliance and security decisions made by the Heartland executives would be more interesting.