Heartland sued over data breach

Lawsuit filed on behalf of Minnesota woman accuses payment processor Heartland of negligence in handling of data breach that exposed millions of accounts.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Payment processor Heartland Payment Systems has been sued over a data breach it disclosed publicly on Inauguration Day last week.

The lawsuit, filed on Tuesday in U.S. District Court in Trenton, N.J., alleges that Heartland failed to adequately safeguard the compromised consumer data, did not notify consumers about the breach in a timely manner as required by law, and has not offered to compensate consumers for costs they may incur in protecting themselves from identity fraud.

In a statement that coincided with President Barack Obama's inauguration events, Heartland said the breach occurred last year but that it found evidence of the intrusion only in the previous week and immediately notified law enforcement and credit card companies.

Heartland was alerted in late October to suspicious activity surrounding processed card transactions by Visa and MasterCard and hired forensic auditors who uncovered malicious software that compromised data in the company's network, said Robert H.B. Baldwin Jr., chief financial officer of Heartland, last week.

The lawsuit seeks damages and relief for the "inexplicable delay, questionable timing, and inaccuracies concerning the disclosures" with regard to the data breach, which is believed to be the largest in U.S. history.

Heartland executives have declined to specify how many consumers or accounts were affected. The company handles 100 million transactions per month for more than 250,000 merchants.

The lawsuit, first reported by SearchSecurity news site, also accuses Heartland of negligence in taking more than two months to determine the existence and scope of the breach and criticizes the company for failing to identify which merchants were affected by the breach.

The suit was filed on behalf of Woodbury, Minn., resident Alicia Cooper, who was notified last week by her credit union that a card associated with her account was included in the breach. It seeks class action status.

A Heartland spokesman said the company could not comment on litigation.

Meanwhile, the U.S. Secret Service has identified a suspect in the breach who resides outside the country, according to a report late last week on the Storefront Backtalk blog.

Secret Service officials did not return a call seeking comment and a U.S. Department of Justice spokeswoman said she could not comment on the investigation. Update 2:35 p.m. PST: A Secret Service spokesman said the agency "is not releasing any information at this time" on the investigation.

Heartland announced on Tuesday that it would deploy an end-to-end encryption system to secure data in databases and as it is transferred around the network. Heartland also said it has formed an internal department dedicated to the project.