This incident has 0 proposed changes. Know of details that have changed? Submit them Showing Incident 1518 To_xml

SUMMARY

Malicious Software/Hack compromises unknown number of credit cards at fifth largest credit card processor
Records 130,000,000
Record Types CCN
Breach Type Hack
Data Family Electronic
Source Outside
Organization Heartland Payment Systems
Other Organizations None
Lawsuit? YES
Data Recovered? NO/UNKNOWN
Arrest? YES
Submitted By: michaelcordes

STOCK PRICE

Chart?chxt=x,y&chxl=0:|jan-6|jan-27|feb-17|&chxr=1,4

SIMILAR INCIDENTS

recordsdateorganizations
94,000,000 2007-01-17 TJX Companies Inc.
90,000,000 1984-06-01 TRW, Sears Roebuck

TIMELINE

DateEvent
None. Add Data Incident Occurred
2009-01-12 Incident Discovered By Organization
2009-01-20 Organization Reports Incident
None. Add Data Organization Mails Notifications
None. Add Data Records Recovered
2009-01-27 Lawsuit Filed
2009-08-16 Arrest Made

MAP OF INCIDENT LOCATION

Address: 90 Nassau St, Princeton, NJ 08542, USA
Have a better address for this incident? Suggest it!

suggest a new reference

REFERENCES

suggest a new attachment

ATTACHMENTS

KNOWN COURT CASES

IN PROGRESS

CONSUMER - In Re: Heartland Payment Systems Inc. Customer Data Security Breach Litigation

Filed On Justia Link Pacer Link Court Federal? Case Number Pacer Case Number Incident
2009-06-10 Pacer Docket N/A SOUTHERN DISTRICT OF TEXAS true 4:09-MD-2046-CONSUMER 4 1518
Case Files
Awards / Settlements
AwardMonetary ValueDescription
ACTUAL DAMAGES FUND$2,400,000.00 This fund begins at 1,000,000, and grows by increments of 500,000 as needed with a cap of 2.4 million. To pay for damages directly to consumers. Valid Claims shall be limited to $175 per Settlement Class Member, with no more than two Valid Claims allowed per household. However, in the event that the Losses in a Settlement Class Member’s Valid Claim include Identity-Theft-Related Charges, up to $10,000 in such Identity-Theft Related-Charges may be included in such Settlement Class Member’s Valid Claim, but in no event shall the Settlement Class Member’s reimbursement for a Valid Claim exceed $10,000.
NOTICE TO SETTLEMENT CLASS$1,500,000.00 All costs associated with notice to the Settlement Class as required herein and Costs of Claims Administration shall be paid by Heartland.
PLAINTIFF ATTORNEY FEES$760,000.00 Defendent agrees to pay plaintiffs attorney fees.
$4,660,000.00
OSF Summary

This is the 'consumer track' of the consolidated lawsuits against Heartland Payment Systems, Inc.

IN PROGRESS

FINANCIAL INSTITUTIONS - In Re: Heartland Payment Systems Inc. Customer Data Security Breach Litigation

Filed On Justia Link Pacer Link Court Federal? Case Number Pacer Case Number Incident
2009-06-10 Pacer Docket N/A SOUTHERN DISTRICT OF TEXAS true 4:09-MD-2046-FINANCIAL 4 1518
Case Files

None

Awards / Settlements
AwardMonetary ValueDescription
$0.00
OSF Summary

"Financial Institutions Track" of consolidated litigation against Heartland Payment Systems.

KNOWN NON-COURT COSTS

NameDateReferenceMonetary ValueDescription
Heartland Settlement with American Express 2009-12-17 reference $3,538,380.00 To resolve all potential claims and other disputes between Amex and HPS with respect to the HPS breach.
Heartland Settlement with VISA 2010-01-07 reference $60,000,000.00 To resolve all potential claims and other disputes between VISA and HPS with respect to the HPS breach.
TOTAL COST $63,538,380.00

COSTS SUMMARY

Known Actual Costs

Monetary Awards from Court Cases $4,660,000.00
Other Known Costs $63,538,380.00
TOTAL KNOWN COSTS $68,198,380.00

Estimated Costs

Ponemon Institute Direct Costs Estimate 1 $7,800,000,000.00
  1. Note that these estimates are based on the Ponemon Institute's 2009 direct costs figures from their 2009 Annual Study: Cost of a Data Breach. We multiply $60.00 by the number of records to obtain this figure. Keep in mind that depending on the breach, the direct costs are not always suffered by the breached organizations. In the case of credit card number breaches, the direct costs can often be suffered by banks and card issuers. Also note that this is only an estimate.

PRIMARY SOURCES

Primary Source ID: 1327

add details to this primary source Description
Heartland breach notification sent to Maryland
FilenameSourceResearcher Incident IDs
ITU-164794.pdfMaryland Attorney Generalkirniki 1518
RecordsFile DateUploadedUpdated
Not yet entered 2009-01-30 2009-02-04 04 Feb 12:28
Excerpt
1327

pr Q _ ._ Q _, 1 2,. 1 p up . . p p »V_. . _. I .The Highest Stundurds lTheM0st`.Ti·tisted'Irdhsdrtidnsri r ·`·· L'} lm. `_ _ lp ‘ ‘ , ‘’`’ 'Y __ i _ W » ; Charles...

Click here for the Full Details | Download Raw PDF

Primary Source ID: 1353

add details to this primary source Description
Credit card information accessed by a hacker using malicious software
FilenameSourceResearcher Incident IDs
heartland.pdfNew Hampshire Consumer Protection & Antitrust Bureaukirniki 1518
RecordsFile DateUploadedUpdated
Not yet entered 2009-01-30 2009-02-17 24 Feb 11:27
Excerpt
1353

*3%* Hdmfmmé d _ ,,_W ·~W~·V·‘·‘‘`V‘V``4 '`W;·`4WW {hn Hignesz Standards ;?hc· MostYma1a:H`mns¤c¥;¤¤s · Vv`____ _,_._...···——···°·‘`"‘"'```V'v`v`w`vvvv Shades Kalisznbach Genera! Ccwnzsad and C...

Click here for the Full Details | Download Raw PDF

Primary Source ID: 1492

add details to this primary source Description
Maryland data breach notification : Hacked credit card processor provides hacker with Credit Card information
FilenameSourceResearcher Incident IDs
ITU-166426.pdfMaryland Attorney Generalkirniki 1518
RecordsFile DateUploadedUpdated
1 2009-02-09 2009-03-27 25 Jun 21:42
Excerpt
1492

110 ~**—¤‘·ER,¢£\ {_ ‘ 1 _ _ ‘ 'Q \_ . V 1 .·’ \ `~. will FEB V l V · I - · " B BE: r V 1 1, z ,· BEVERLY NATIONA BANK `= ——;EARN1N<; Youn TRUST _S1NcE 1802— 1 , ,,/ Beverly: Downtown •...

Click here for the Full Details | Download Raw PDF

Primary Source ID: 1822

add details to this primary source Description
North Carolina Data Breach Notification outlining Heartland Payment Systems breach that included credit card information.
FilenameSourceResearcher Incident IDs
20090130_Heartland.pdfNorth Carolina Department of Justice, Consumer Protection Divisiond2d 1518
RecordsFile DateUploadedUpdated
0 2009-01-30 2009-06-13 17 Jul 08:45
Excerpt
1822

Heartland , a$a ifggig a wr ra =¤ T r Q va ’¤" im llizhest Wtqqmrratr *`··= ‘r"st“Zwstarl `irnnwctlrrn: 0 V _ V ·# Charles Kallenbach lEi@f`lOl`Z5l Counsel and — Chia? Legal Officar January 30...

Click here for the Full Details | Download Raw PDF

COMMENTS

by d2d [Data Loss Maven] on 2009-01-20 (about 1 year ago)

Washington Post is saying 100,000,000 cards, see the washington post reference.

by Anonymous on 2009-01-20 (about 1 year ago)

This breach is most likely WELL over 100mill. Heartland does 100mill or more PER MONTH. I would estimate 5-700 mill.

by Anonymous on 2009-01-21 (about 1 year ago)

The PSP in this case is of course PCI compliant? Not!
If they were Tripwire (or similiar) and malware should have been installed as standard and would have potentially protected against this.......

by Anonymous on 2009-01-22 (about 1 year ago)

Actually, they were PCI compliant as of April 2008.

by jericho [Senior Investigator] on 2009-01-23 (about 1 year ago)

http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf

Service Provider: Heartland Payment Systems
Validation Date: April 30, 2008
Services Covered by Review: Payment Processing
Assessor: Trustwave

by Anonymous on 2009-01-23 (about 1 year ago)

"No confidential merchant data, Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were retrieved in what is believed to be a global cyber-fraud operation. Heartland does not yet know how many card numbers were obtained."

http://www.snl.com/irweblinkx/file.aspx?IID=4094417&amp;FID=7249269

by jericho [Senior Investigator] on 2009-01-24 (about 1 year ago)

An OSF staff member mailed the PCI-DSS contact for Trustwave asking for public comment.

by d2d [Data Loss Maven] on 2009-01-24 (about 1 year ago)

by d2d [Data Loss Maven] on 2009-01-28 (about 1 year ago)

by Anonymous on 2009-01-30 (about 1 year ago)

I received a new discover card this week. The account number did not change, but the expiration and validation code on the back changed. When I called Discover to activate the card I ask why the change and he acknowledge it was due to the Heartland compromise.

by Anonymous on 2009-05-11 (10 months ago)

I've been watching this one since it happened in January. I just now (May 11th) got notified by Suntrust that my card may have been compromised in this breach. 4 months to notify me? They've got to be kidding.

by Anonymous on 2010-01-11 (2 months ago)

In a recent update Heartland Payment Systems announced today (January 8, 2010) that it will pay Visa-branded credit and debit card issuers up to $60 million to cover losses incurred from the Heartland data breach.
http://www.bankinfosecurity.com/articles.php?art_id=2054&amp;rf=010910eb

New Comment

simple_captcha.jpg
(type the code from the image)

Sponsored By: Credant_200x51 Tenable Pgp_logo Zecurion
Permission is granted to use this database in non-profit works and research. Use of the DataLossDB, and its exports, RSS feeds, reports, or other materials produced on this site by the Open Security Foundation for commercial interests requires authorization and licensing arrangements. For more information, please e-mail curators@datalossdb.org with a brief summary of how you would like to use this information; product, service, research, etc.
© 2005 - 2010, Open Security Foundation, All Rights Reserved.