A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

January 09, 2012 • Issue 12:01:01

Heartland nearing closure on breach after favorable ruling

Nearly all bank claims filed against Heartland Payment Systems Inc. in the aftermath of its massive data theft, initially reported in January 2009, were dismissed by U.S. Southern District of Texas Judge Lee Rosenthal Dec. 7, 2011.

The ruling

Nine banks filed complaints against Heartland following the theft of data from nearly 130 million credit and debit cards. The banks sought damages from Heartland for alleged negligence, violation of the consumer protection laws of several states and for breaching its contractual obligations to them. In essence, Judge Rosenthal found most of these claims were not viable.

Rosenthal dismissed the negligence and contractual obligation claims. He threw out the negligence claims because the law does not allow tort damages in cases where no physical or property injury exists. He dismissed the breach of contract claims because there was no direct or implied contract the banks could connect to a breach incident.

Rosenthal said he will allow the banks to file an amended breach-of-contract claim. He also let stand a claim filed under the Florida Deceptive and Unfair Trade Practices Act.


Enough suits were filed against Heartland following the breach, the largest ever in the payment card industry, for the claims to be separated into consumer claims and financial institution claims. Heartland settled the consumer claims in 2010 for $4 million. The settlement gave eligible consumers up to $175 for expenses associated with the stolen credit or debit card information. Heartland also agreed to pay as much as $10,000 to identity theft victims who suffered losses as a result of the breach.

Heartland Chief Executive Officer Robert O. Carr told The Green Sheet that to the best of his knowledge, all consumer claims are settled. He also said he does not expect the banks to file additional claims but he is prohibited from speaking further about any continuing litigation issues.

Carr said there was no sense of vindication in the company after Rosenthal's favorable ruling. He noted the breach has directly cost Heartland "between $125 million and $150 million." Unfortunately, he could offer little help for other companies looking to avoid their own breaches in a world where data theft is becoming a booming industry. "Our situation was very unique as a nonbank, public payments company, so I don't think our approach would necessarily be appropriate for most other potential victims," he said.

Crime and punishment

Three hackers were publicly held responsible for the Heartland Breach. U.S. citizen Albert Gonzalez was arrested and sentenced to 20 years in prison after pleading guilty to charges related to the breach. The indictment also named Maksym Yastremskiy of Kharkov, Ukraine, and Aleksandr Suvorov, of Sillamae, Estonia. Asked if he was confident all the hackers involved in the breach were identified Carr answered, "I am confident this is not the case."

Moving forward

Carr has worked on a number of initiatives to improve security in the payments industry. Heartland is now manufacturing its own Heartland E3 terminal, an encrypted, tamper resistant security module that wipes out the encryption keys and renders the terminal inoperative if the security module is tampered with.

Also, the operating system of the E3 is locked down so that every application applied to the terminal must have a certificate and be tied into the operating system. When a transaction goes through the end-to-end encryption, a token is created on the back-end to allow for chargebacks, reversals or other processes needed after the transaction.

Carr said more than 20,000 merchants are using the E3 terminal. "It has been very successful for us," he said.

Carr also helped to found the Payments Processing Information Sharing Council under the umbrella of the Financial Service Information Sharing and Analysis Center to provide a way for the industry to share information about fraud threats, vulnerabilities and migration in the payments industry. "The PPISC is a vibrant and effective organization with almost all large acquirers, including Heartland, very involved in sharing experiences and information," Carr noted.

end of article

For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing