Lessons from the Data Breach at Heartland

How a top payments processor responded to the largest-ever criminal pilfering of credit-card data, and what other companies can learn from it

By Rachael King

• View Slide Show

Robert Carr was settling in for the evening in a New York hotel on Jan. 12 this year when at 10:30 p.m. he got a phone call that every financial services executive dreads. Carr, CEO of Heartland Payment Systems (HPY), learned that intruders might have hacked into the company's computer network.

The next morning, his fears were confirmed. For a period starting in May 2008, cybercriminals had burrowed deeply into Heartland's network and recorded consumers' credit- and debit-card data. "That's the worst thing that can happen to a payments company and it happened to us," says Carr.

Heartland, the fifth-biggest payments processor in the U.S., had suffered what within days would be called the largest-ever criminal breach of card data. Security experts estimate that as many as 100 million cards issued by more than 650 financial services companies may have been compromised. Heartland faces class actions and inquiries by federal regulators over the matter.

Not Keeping Mum

The attack on Heartland, responsible for handling the transfer of funds and information between retailers and cardholders' financial institutions, reflects an upswing in the number of information breaches as hackers get more sophisticated in invading corporate data networks. More electronic records were breached in 2008 than the previous four years combined, according to a report by Verizon Business (VZ) released on Apr. 15.

The intrusions not only put consumer or corporate data at risk but can also exact a high financial and public-relations toll on the companies whose systems are hacked. The TJX Companies (TJX), which operates retailers including T.J. Maxx and Marshalls, has said it incurred costs of more than $171 million related to an intrusion discovered in 2006 that resulted in the compromise of tens of millions of accounts. Costs for the average company are lower, about $6.65 million, according to a January survey by the Ponemon Institute.

Unlike peers who tend to stay mum on security breaches, Carr has gone public with Heartland's story to encourage companies to share information about attacks and band together against cybercriminals who themselves are becoming better organized. He has divulged parts of the story previously but went into extensive detail in an interview with BusinessWeek.com.

The Heartland intrusion began in May 2008, even though the company had passed multiple audits, including one conducted on Apr. 30. At the time, the Princeton (N.J.) company was in compliance with industry standards for data security, Carr says. Still, shortly afterward, 13 pieces of malware that capitalize on weaknesses in Microsoft (MSFT) software infiltrated one or more network servers. "We get pinged 200,000 times per day by people trying to hack into our system," Carr says. "You do everything you can to make sure one of those pings doesn't get through, and we thought we had done everything we could do."

Finding the Weak Link

While Heartland may have tried to cover all its bases, other companies commonly focus on what they think are the most critical servers and neglect ones that seem less important, such as those that manage heating, venting, and air conditioning, says Peter Tippett, vice-president for technology and innovation at Verizon Business.

Business Exchange

Track and share business topics across the Web.