You are on page 1of 4

By Anthony M. Freed, Information-Security-Resources.

com Financial Editor

Reports are surfacing that there has been another major information security
breach at a credit card payment processor, though the company has not yet been
identified.

The breach news comes less than one month after Heartland Payment Systems
announced they had suffered what is likely to be the biggest PCI breach to date,
possibly bigger than the TJMAX breach.

Heartland (HPY) is the sixth largest payment processor in the nation.

There had been indications in early Heartland reports that the FBI was pursuing
suspects who may be part of a larger criminal conspiracy targeting multiple
companies, but there are no reports yet as to whether this latest breach is part
of that investigation, or whether the revelations at Heartland led to this breach
being uncovered.

From DataLossDB.org on the breach at the unknown company:

Banks around the country are reportedly receiving warnings, and perhaps even new
lists of cards to replace. This is apparently regarding another credit card
processor, unrelated to Heartland Payment Systems, having a significant breach.

OSF has received multiple tips from multiple sources, and has spoken with the good
people over at bankinfosecurity.com who have confirmed they too are hearing the
exact same thing. From what we've heard, this second breach is significant in
scale, but we have not as of yet been told who the processor is.

Also, speaking of BankInfoSecurity.com, they've released an article about three


people being arrested for allegedly using credit cards from the Heartland Breach.
And also, their list grows of institutions affected by the Heartland incident
(they maintain a much more comprehensive list than we did). Hats off!

Our team has been predicting that 2009 will be the year that InfoSec moves to the
forefront of the economic crisis. We believe the somewhat obscure issue will be
as familiar to the American public as the notorious subprime and pay option ARMs
have in the last year or two.

Much like the meltdown of the mortgage industry, the revelations of lax governance
in the handling of sensitive and private data will likely shock the public and the
business community alike, and those revelations are bound to come all too
painfully slow, especially for shareholders.

The data loss debacle at Heartland highlights the fact that the failure to secure
information is the next major shareholder derivative, director and officer
liability, regulatory, consumer product safety, and class-action issue to impact
our economy.

Nearly one month after going public, few details of the Heartland breach have been
released, and many questions remain regarding a long chain of events that include
both the breach and also an aggressive executive 10b5-1 stock selling plan adopted
in early August of last year, the same month the breach is now reported to have
ended, but still five months before the breach was announced publicly.

Heartland Payment Systems stock price has been flat-lined since losing half of
it's value shortly after the January 20, 2009 breach announcement. A report form
komonews.com gravely illustrates that this is more than a security issue, it is a
commercial viability issue:

Heartland says it has closed the security hole that allowed criminals to
infiltrate their systems, but the matter is far from settled. The company will
likely have to pay big penalties to banks to reimburse the cost of issuing new
cards, and analysts say the intrusion could even threaten the company's survival
if the big card brands decide to cut off Heartland from connecting to their
networks.

One big payment processor, CardSystemsSolutions, went under after a 2005 data
breach in which 40 million credit card accounts were compromised and the big card
brands stopped doing business with CardSystems. Representatives for Visa Inc. and
MasterCard Inc. declined to comment.

The latest piece of news for the Heartland timeline comes from
StorefrontBacktalk.com's Evan Schuman:

“According to a MasterCard alert, this sniffer program stole card numbers and
expiration dates from credit and debit cards processed by Heartland from May 14,
2008, through Aug. 19, 2008, as the information entered Heartland’s payment
switch,”

Here is what we know of the Heartland timeline thus far, which is not much, but it
does beg for a more thorough explanation by company officials for no other reason
than several important things happened in a relatively short period of time, and
that alone should be reason enough:

May 14, 2008: Breach reported to have began


May 20, 2008 Carr Makes first stock sale of the year, 2695 shares
August (first week), 2008: CEO Robert Carr's 10b5-1 is proposed
August 8, 2008: Board approves 10b5-1 plan
August 8 - August 14, 2008: Carr makes six separate sales of stocks totalling
60,000 shares
August 19, 2008: Breach reported to have ended
August 28, 2008: Carr sells 80,000 shares
September 3, 2008: Carr sells 80,000 shares
September 17, 2008: Carr sells 80,000 shares
October 15, 2008: Carr sells 80,000 shares
October 28, 2008: Visa and MasterCard notify Heartland of problems; Carr sells
80,000 shares
November 6, 2008: Carr sells 80,000 shares
November 20, 2008: Carr sells 80,000 shares
December 11, 2008: Carr sells 80,000 shares
December 26, 2008: Carr sells 42,900 shares
January 7, 2009: Carr sells 80,000 shares
January ??, 2009: Carr suspends his 10b5-1 stock selling plan
January 20, 2009: Breach Announced
HeartLand representatives maintain that company officials were not alerted to the
breach until being contacted by Visa (V) and MasterCard (US:MA) officials in late
October.

In an email I received from Heartland's representatives, they state that there is


no relationship whatsoever between the breach and Carr's stock sales:

At the time of this announcement, Mr. Carr was not under any trading restrictions
pursuant to the company’s insider trading policy and was not in possession of any
material non-public information concerning the company. Under this 10b5-1 plan,
programmed sales of company stock were made on Mr. Carr’s behalf, and he had no
discretion regarding the timing or other aspects of those sales.

Although he was not required to do so, Mr. Carr terminated his 10b5-1 when the
company confirmed the security breach it disclosed in the company’s press release
of January 20, 2009. As has been reported, Heartland first learned of a potential
problem from the card associations on October 28th of last year, well after the
announcement of this 10b5-1 plan. Heartland categorically denies that Mr. Carr was
aware of a potential security breach at the time he adopted his trading plan.

I can see no reason not to take them at their word, but I also urge Heartland
officials to release more information to clear up the issue, such as the
documentation that Heartland's Systems and IT departments keep to show compliance
with requirements for sensitive data protection. Hard copy confirmation that no
one at Heartland was aware of any major security problems prior to October 28,
2008 would put any questions to rest with more finality than a corporate press
release or an email.

Something to look forward to is the conference call with Carr now scheduled to
take place in the last week of February. The agenda state the call will discuss
Q4-2008 earnings, but it seems almost certain they will address the breach then,
and hopefully will provide more details regarding an eventful August 2008.

From the press release:

Chairman & Chief Executive Officer Robert Carr and President & Chief Financial
Officer Robert Baldwin will host a conference call beginning at 8:30 AM Eastern
Time, Tuesday, February 24, 2009, to discuss fourth quarter and fiscal year end
2008 results and conduct a question and answer session.

Heartland Payment Systems invites all interested parties to listen to its


conference call broadcast through a webcast on the Company?s website. To access
the call, please visit the Investor Relations portion of the Company?s website at:
www.heartlandpaymentsystems.com. The webcast will be archived on the Company?s
website within two hours of the live call and will remain available through
Friday, May 22, 2009.

You may also participate by calling (800) 559-6679 and providing the operator with
Pin Number 81829786

The SEC does require disclosure by company leadership of known threats to share
price, so we should expect that more will be revealed during the call - unless the
investigation would prevent the release of such information, in that case we would
probably at least get some statements to that effect.

Either way it seems that much will be revealed in the call.

As for the latest breach, let's hope it is not a record breaker and that no fraud
cases are the result. Be vigilant about checking your own credit card statements
and report any suspicious activity immediately. Then just keep your fingers
crossed that we can effectively put the information security genie back in the
bottle before the next breach is not just a financial security matter, but a
national security event as well.

Anthony is a researcher, analyst and freelance writer who worked as a consultant


to senior members of product development, secondary, and capital markets from the
largest financial institutions in the country during the height of the credit
bubble. Anthony’s work is featured by leading Internet publishers including
Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha,
and ML-Implode.

The Author gives permission to link, post, distribute, or reference this article
for any lawful purpose, provided attribution is made to the author and to
Information-Security-Resources.com.