Compliance Insight with David Schneier

Heartland Breach Saps Resources, Time from Institutions

Since the Heartland Payment Systems (HPY) data breach became "The Story," I've been trying to keep my distance from a blogging perspective, as it's being covered quite nicely elsewhere. Besides, I'm the regulatory compliance man in the field, and while this story certainly touches on related issues, it's off to the side of what I'm typically looking at.

This week that all changed.

I've been onsite at a financial institution, conducting a risk assessment, and the client had limited open space. So they found me a spare cubicle out amongst the rank-and-file because beggars can't be choosers, and all I really need is a chair, an outlet and a clean desk space to work on. My host explained that it might get a bit noisy, as I'd be sitting with the customer service people, but I tend to like chatter -- particularly because you pick up all sorts of useful tidbits and nuggets that you don't often get via interviews. But this time I was ill-prepared for the experience.

Turns out the only thing their customers were concerned about this week was Heartland. You see, this institution was one of the many whose customers were exposed via the Heartland breach. So the letters went out of the past week or so, alerting the affected accounts to the potential damage caused by the breach. And as you could imagine, it was not news well received. The phones were ringing constantly from early in the morning until late in the afternoon. Call after call from people who first needed to be brought up to speed with what actually happened ("You may have heard about Heartland and the problem's they're having"), then they had to be educated as to what their options were (new card, new account or do nothing and hope for the best) and then they had to make a decision. Some appeared to be angry, some worried and some just plain confused. But this went on all day for the three days I was onsite. I wasn't counting, but it had to be hundreds of calls.

So here's the thing; all of this activity required, all of this time exhausted, and none of it helped the institution increase deposits, sell a loan or a CD. These hundreds of hours that I personally witnessed were put toward trying to make things right for people who did nothing riskier than use their bank card to make a purchase. And because that transaction settled via the Heartland pathway, they became part of the story. But what really bothered me was the realization that for many of those calling in this problem was transparent; they would or could make no distinction between the institution they banked with and Heartland. All they really know is their financial institution was delivering some scary news and was also responsible for fixing the problem. And the way to fix the problem was not good, no matter what they decided.

All of this at a time when confidence in the banking industry is at an all-time low (at least in my lifetime). All of this at a time when banks are on the financial ropes and fighting just to stay in business.

But here's this sick punch line, while I was sitting in my host's office late in the afternoon on my third day, they received another alert about another breach unrelated to Heartland. And the best they could hope for at that point is for a high percentage of those cards included in the newest breach to be the same as those already handled via the Heartland breach.



About the Author

David Schneier

David Schneier

Director of Professional Services

David Schneier is Director of Professional Services for Icons Inc., an information security consultancy focused on helping financial institutions meet regulatory compliance with respect to GLBA 501(b) and NCUA Part 748 A and B. He has over 20 years' experience in Information Technology, including application development, infrastructure management, software quality assurance and IT audit and compliance.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.