The Green Sheet Online Edition
June 22, 2015 • Issue 15:06:02
Heartland breached via payroll office
Heartland Payment Systems Inc., which in 2008 was the first major card acquirer known to be hit by a data breach, is on the hot seat again. This time its payroll arm is the source of problems. According to a public statement released via Business Wire on June 1, 2015, a burglary in May at a Heartland Payroll office in Santa Ana, Calif., resulted in the loss of 11 password-protected desktop computers, among other items.
"Of these 11 computers, Heartland suspects that four computers contained personally identifiable information [PII]," the company wrote. Heartland said it had filed necessary reports with federal, state and local authorities, and alerted an estimated 2,200 individuals that their personal information may have been stolen. In that letter (a copy of which was obtained by The Green Sheet) Heartland offers the affected individuals one year of free identity theft protection.
"Heartland continues to monitor the situation carefully and has increased its internal security and review procedures to watch for any unusual activity," the company wrote. "We are providing this notice to you out of an abundance of caution."
Following its 2008 breach, Heartland became a poster child for card data security. The company released its own line of POS card readers protected by industrial grade encryption, forcing the leading terminal manufacturers to play catch up.
In addition, in January 2015, Heartland began providing merchants with blanket warranties against financial losses tied to card data breaches when they use Heartland Secure, a super-secure card solution that combines encryption, Europay, MasterCard and Visa technology and tokenization. "The merchants with Heartland Secure-certified devices are fully protected by the breach warranty," Heartland Chairman and Chief Executive Officer Robert O. Carr said at that time.
Unencrypted personal information poached
In its letter to an estimated 2,200 consumers affected by the Heartland Payroll burglary, the company said one or more of the stolen computers "may have stored your Social Security number and or bank account information processed for your employer." Social Security numbers and bank account information are the raw materials desired most by identity crooks.
The statement Heartland sent via Business Wire said that as a result of the burglary, it had implemented an "aggressive system" to monitor the affected accounts. "To date there is no indication that any of this information has been accessed or used in a fraudulent manner," the company stated.
The stolen computers were located in the former offices of Ovation Payroll, a payroll outsourcing company serving about 10,000 customers that Heartland acquired in 2013. Heartland stated that the stolen computers "were not connected to any other Heartland office, business, system or server." The company explained that the Santa Ana office was "in the process of being integrated into Heartland's information security and physical security systems and processes."
Experts have said that Heartland's statements suggest information stored in the stolen computers was not encrypted. "If they [the stolen computers] were in fact properly protected the notice would have highlighted that fact in bold print," blogged Dave Lewis, a contributor to Forbes online.
Heartland said in its public statement, "As part of our ongoing commitment to security, Heartland has already encrypted most computers, and as we integrate acquisitions Heartland is actively working to encrypt any remaining computers in every office that may have access to, or house, PII or payment data. … Security has been, and will continue to be, the foundation of everything we do at Heartland."
Lewis wrote, "Hopefully, the systems were simply stolen by criminals looking for a quick dollar. But in the event that isn't the case this could get uglier before long."
The reported incident appears to have not had an impact on Heartland's stock. The price of Heartland shares was up yesterday, the first trading day following the company's Business Wire statement.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.