Sunday, February 15, 2009

Another Payment Card Processor Hacked

Anthony Freed, Financial Editor for Information Security Resources writes, in an excellent article, that there are reports that another Payment Card Processsor has been hacked.  The company has not yet been named, but "multiple tips from multiple sources" claim that another processor, other than Heartland is behind recent warnings to banks about potentially having to replace consumer cards.

By Anthony M. Freed, Financial Editor
Reports are surfacing that there has been another major information security breach at a credit card payment processor, though the company has not yet been identified.
The breach news comes less than one month after Heartland Payment Systems announced they had suffered what is likely to be the biggest PCI breach to date, possibly bigger than the TJMAX breach.
Heartland (HPY) is the sixth largest payment processor in the nation.
There had been indications in early Heartland reports that the FBI was pursuing suspects who may be part of a larger criminal conspiracy targeting multiple companies, but there are no reports yet as to whether this latest breach is part of that investigation, or whether the revelations at Heartland led to this breach being uncovered.
From on the breach at the unknown company:

Banks around the country are reportedly receiving warnings, and perhaps even new lists of cards to replace. This is apparently regarding another credit card processor, unrelated to Heartland Payment Systems, having a significant breach.

OSF has received multiple tips from multiple sources, and has spoken with the good people over at who have confirmed they too are hearing the exact same thing. From what we’ve heard, this second breach is significant in scale, but we have not as of yet been told who the processor is.

Also, speaking of, they’ve released an article about three people being arrested for allegedly using credit cards from the Heartland Breach. And also, their list grows of institutions affected by the Heartland incident (they maintain a much more comprehensive list than we did). Hats off!
Our team has been predicting that 2009 will be the year that InfoSec moves to the forefront of the economic crisis. We believe the somewhat obscure issue will be as familiar to the American public as the notorious subprime and pay option ARMs have in the last year or two.

Much like the meltdown of the mortgage industry, the revelations of lax governance in the handling of sensitive and private data will likely shock the public and the business community alike, and those revelations are bound to come all too painfully slow, especially for shareholders.

The data loss debacle at Heartland highlights the fact that the failure to secure information is the next major shareholder derivative, director and officer liability, regulatory, consumer product safety, and class-action issue to impact our economy.

Nearly one month after going public, few details of the Heartland breach have been released, and many questions remain regarding a long chain of events that include both the breach and also an aggressive executive 10b5-1 stock selling plan adopted in early August of last year, the same month the breach is now reported to have ended, but still five months before the breach was announced publicly.

Heartland Payment Systems stock price has been flat-lined since losing half of it’s value shortly after the January 20, 2009 breach announcement. A report form gravely illustrates that this is more than a security issue, it is a commercial viability issue:
Heartland says it has closed the security hole that allowed criminals to infiltrate their systems, but the matter is far from settled. The company will likely have to pay big penalties to banks to reimburse the cost of issuing new cards, and analysts say the intrusion could even threaten the company’s survival if the big card brands decide to cut off Heartland from connecting to their networks.

One big payment processor, CardSystemsSolutions, went under after a 2005 data breach in which 40 million credit card accounts were compromised and the big card brands stopped doing business with CardSystems. Representatives for Visa Inc. and MasterCard Inc. declined to comment.

The latest piece of news for the Heartland timeline comes from’s Evan Schuman:
“According to a MasterCard alert, this sniffer program stole card numbers and expiration dates from credit and debit cards processed by Heartland from May 14, 2008, through Aug. 19, 2008, as the information entered Heartland’s payment switch,”
Here is what we know of the Heartland timeline thus far, which is not much, but it does beg for a more thorough explanation by company officials for no other reason than several important things happened in a relatively short period of time, and that alone should be reason enough:
May 14, 2008: Breach reported to have began
May 20, 2008 Carr Makes first stock sale of the year, 2695 shares
August (first week), 2008: CEO Robert Carr’s 10b5-1 is proposed
August 8, 2008: Board approves 10b5-1 plan
August 8 - August 14, 2008: Carr makes six separate sales of stocks totalling 60,000 shares
August 19, 2008: Breach reported to have ended
August 28, 2008: Carr sells 80,000 shares
September 3, 2008: Carr sells 80,000 shares
September 17, 2008: Carr sells 80,000 shares
October 15, 2008: Carr sells 80,000 shares
October 28, 2008: Visa and MasterCard notify Heartland of problems; Carr sells 80,000 shares
November 6, 2008: Carr sells 80,000 shares
November 20, 2008: Carr sells 80,000 shares
December 11, 2008: Carr sells 80,000 shares
December 26, 2008: Carr sells 42,900 shares
January 7, 2009: Carr sells 80,000 shares
January ??, 2009: Carr suspends his 10b5-1 stock selling plan
January 20, 2009: Breach Announced
HeartLand representatives maintain that company officials were not alerted to the breach until being contacted by Visa (V) and MasterCard (US:MA) officials in late October.

In an email I received from Heartland’s representatives, they state that there is no relationship whatsoever between the breach and Carr’s stock sales:
At the time of this announcement, Mr. Carr was not under any trading restrictions pursuant to the company’s insider trading policy and was not in possession of any material non-public information concerning the company. Under this 10b5-1 plan, programmed sales of company stock were made on Mr. Carr’s behalf, and he had no discretion regarding the timing or other aspects of those sales.

Although he was not required to do so, Mr. Carr terminated his 10b5-1 when the company confirmed the security breach it disclosed in the company’s press release of January 20, 2009. As has been reported, Heartland first learned of a potential problem from the card associations on October 28th of last year, well after the announcement of this 10b5-1 plan. Heartland categorically denies that Mr. Carr was aware of a potential security breach at the time he adopted his trading plan.
I can see no reason not to take them at their word, but I also urge Heartland officials to release more information to clear up the issue, such as the documentation that Heartland’s Systems and IT departments keep to show compliance with requirements for sensitive data protection. Hard copy confirmation that no one at Heartland was aware of any major security problems prior to October 28, 2008 would put any questions to rest with more finality than a corporate press release or an email.

Something to look forward to is the conference call with Carr now scheduled to take place in the last week of February. The agenda state the call will discuss Q4-2008 earnings, but it seems almost certain they will address the breach then, and hopefully will provide more details regarding an eventful August 2008.

From the press release:
Chairman & Chief Executive Officer Robert Carr and President & Chief Financial Officer Robert Baldwin will host a conference call beginning at 8:30 AM Eastern Time, Tuesday, February 24, 2009, to discuss fourth quarter and fiscal year end 2008 results and conduct a question and answer session.

Heartland Payment Systems invites all interested parties to listen to its conference call broadcast through a webcast on the Company's website. To access the call, please visit the Investor Relations portion of the Company?s website at: The webcast will be archived on the Company?s website within two hours of the live call and will remain available through Friday, May 22, 2009.

You may also participate by calling (800) 559-6679 and providing the operator with Pin Number 81829786
The SEC does require disclosure by company leadership of known threats to share price, so we should expect that more will be revealed during the call - unless the investigation would prevent the release of such information, in that case we would probably at least get some statements to that effect.

Either way it seems that much will be revealed in the call.

As for the latest breach, let’s hope it is not a record breaker and that no fraud cases are the result. Be vigilant about checking your own credit card statements and report any suspicious activity immediately. Then just keep your fingers crossed that we can effectively put the information security genie back in the bottle before the next breach is not just a financial security matter, but a national security event as well.

Anthony is a researcher, analyst and freelance writer who worked as a consultant to senior members of product development, secondary, and capital markets from the largest financial institutions in the country during the height of the credit bubble. Anthony’s work is featured by leading Internet publishers including Reuters, The Chicago Sun-Times, Business Week’s Business Exchange, Seeking Alpha, and ML-Implode.
Reblog this post [with Zemanta]

Disqus for ePayment News