A class action lawsuit has been filed against Heartland Payment Systems, Inc. over the loss of credit card information to hackers in 2008, and the company's subsequent handling of the data breach. Some computer experts estimate that the breach may have compromised more than 100 million credit cards.
According to the company's website, Heartland is the fifth largest payment processor in the US and ninth largest worldwide. It processes more than 11 million transactions per day.
As searchsecurity.com reported, on inauguration day, Heartland disclosed that the week before, the company found evidence of an intrusion. Heartland has not disclosed how many credit cards were compromised, nor did it disclose which merchants were involved. Security experts have estimated that the number of cards compromised could top 100 million, eclipsing the massive TJX Companies data breach in 2007, when over 45 million cards were compromised.
Searchsecurity.com first reported the filing of the class action complaint. As alleged in the complaint, Heartland learned it had been hacked until sometime around October of 2008. Purportedly, Visa and Mastercard alerted Heartland of a possible problem after noticing suspicious activity on some cards. Heartland then allegedly took months—until mid-January—to confirm that it had indeed been infiltrated and that malware residing within Heartland’s systems was intercepting payment information sent to Heartland for processing.
On behalf of those whose information was compromised, named plaintiff Alicia Cooper's complaint alleges negligence regarding the data breach itself, and a host of claims relating to Heartland’s disclosure of the breach and purported breach of duties to cardholders and merchants. Chief amongst the concerns raised by the complaint is Heartland's alleged failure to notify cardholders or merchants that their cards had been compromised. The complaint also alleges that Heartland was not compliant with the Payment Card Industry Data Security Standard controls demanded by major credit card companies.