Heartland: How This Disaster Exploded
On Tues., Jan. 20 - Inauguration Day - Heartland Payment Systems (HPY) President/CFO Robert Baldwin announced the company had been breached sometime in 2008. Heartland, which processes roughly 100 million transactions per month for 250,000 different businesses, says it discovered malware attached to its processing platform, and an undetermined number of consumers had their names and card numbers exposed to hackers. The breach has subsequently been contained, Baldwin says, and he believes the incident to be part of a broader cyber fraud operation.
Mind you, no enterprising journalist uncovered and exposed this breach, nor was it revealed by any external investigators or law enforcement agencies. It became news when Baldwin made it news, announcing the breach and a website, www.2008breach.com, set up for consumers who fear they may have been victimized. Rather than try to sweep the incident under the rug or hope not to be exposed, Heartland did what we wish all such companies would do. They stood up and said "We've been breached."
Heartland did what we wish all such companies would do. They stood up and said "We've been breached."
But, boy, talk about "No good deed will go unpunished..."
Within hours of the Heartland news going public, our office was besieged by queries from eager PR reps whose clients wanted to jump on this story as a platform to discuss security strategies and solutions.
And you could see right away that many of these correspondents hadn't quite read the story's fine print. Because suddenly a breach of undetermined magnitude had become:
"... a data breach that could be potentially larger than TJX."
"...tens of millions of credit and debit transactions may have been compromised..."
"...a data breach of 100 million credit cards."
"...the biggest breach ever reported."
By late Weds afternoon, I was contacted by KPCC, Southern California Public Radio, whose talk show host Patt Morrison wanted to include me in a panel discussion of the Heartland breach. The storyline here:
"Credit card processor Heartland Payment Systems suffered a huge security breach in 2008, allowing hackers to steal credit card information on more than 100 million accounts. What damage has been done and how worried should consumers be?"
By Weds night, CNBC's On the Money hosted a short exchange on Heartland, punctuated by a bunch of airbags talking over one another and attributing this breach "to a bunch of kids in an Internet cafÃ© in Amsterdam."
It's like an Internet-age game of telephone. Person A says one thing to person B, and by the time it gets down the line to person Z, the story is unrecognizable.
So, the question for Heartland today is: "What damage has been done and how worried should Heartland be?"
I don't even know how to begin to answer that. Until Tuesday, it's safe to say that the average citizen didn't even know who or what Heartland was. Now, having been publicized everywhere from The New York Times and USA Today to NPR and CNBC, the company is suddenly the poster child for what the public is going to perceive as "the biggest breach ever reported."
But while Heartland struggles with its breach and the popular media struggle with getting the story straight, there are serious issues here for all of us to deal with:
- Yes, Virginia, there are global fraud schemes - It's foolish for anyone who calls himself an expert to attribute a sophisticated data breach to "a bunch of kids in an Internet cafÃ© in Amsterdam." We're so past that stereotype now, and it's time to acknowledge that the biggest external threats are organized, professional, expert criminals who are focused 110% on finding new ways to crack secure systems. That said...
- Locking the outside door is only half the job - Think about it: Two of the biggest breaches of 2008 - Bank of New York Mellon and Countrywide Financial - were the result of data loss and a rogue insider. These are two of the biggest threats any of us face today. How much critical data walks out of your institution daily in a laptop, PDA or portable media (thumb drives, etc), and what happens if those devices get left on a train? How many critical employees have walked out of your company's employ recently - their choice or yours - and what sensitive information might have walked out with them? How will your trusted employees behave if they fear losing their jobs or their homes? Remember, bad times don't build character; they reveal it. We're going to see a lot of scary revelations in 2009.
- Heartland is just the beginning - Right now, Heartland's greater issue isn't that it's "the biggest breach ever reported," but rather that it's the first one of 2009, and it fell on a day when the only other news was the Inauguration. It became the big story by default. Safe to say, though, we'll see many similar headlines as the year unfolds. Times are tough, the threats are real, and before this year gets much older we'll all be hearing about new hacks, lost data, malicious or inattentive insiders and The Next Big Story.
It's funny. On Tuesday morning, I'm sure Heartland President Robert Baldwin felt he'd done the right thing by standing up and saying "We've been breached." I wonder how he feels about that decision today?