Although neither Visa nor MasterCard have released any data yet, the card brands have been telling processors and issuers that the number of card accounts compromised will range from at least 80 million up to slightly more than 100 million.
Sources familiar with card processing declined to speak for the record since they had not been authorized to speak to the press on this issue, but they said that the scope of the Heartland breach dwarfs the breaches at TJX in 2007 and CardSystems Solutions in 2005. TJX owned up to over 45 million cards compromised, though later litigants claimed a higher figure. Eventually, 40 million accounts compromised were laid at the feet of CardSystems. Heartland is the card processor for over 250,000 merchants across the U.S.
Sources said so many card numbers may be involved in the Heartland breach because a significant number of Heartland's merchant clients are gas stations and convenience stores, which typically have a high transaction volume.
Jason Maloni, who works for crisis management communications firm Levick Strategic Communications representing Heartland, stated that the company still didn't know how many card accounts were compromised and that any numbers being reported were speculative.
"We just don't know [how many accounts were compromised]," Maloni said. "And if we don't know, nobody knows."
The company, which has prided itself on security, announced on Jan. 20 that hackers had placed malicious software on its computer system sometime in 2008 and insisted it still did not know how long the software had been in place.
But sources familiar with ongoing forensic examination of Heartland's systems said on background that investigators found the malicious software was placed on the company's systems in mid-May of last year and that it had been removed in mid-November. Neither the company nor the two major card brands would confirm those dates.
The company would also not comment on whether or not it had been compliant with industry security standards at the time of the breach. The company's position is that no "important" information, which the company has defined as confidential merchant data, Social Security numbers, unencrypted PIN, addresses or telephone numbers, was compromised.
But if that distinction might have been aimed at reassuring cardholders worried about their cards, it merely irritated credit union card processing executives further.
"Of course no merchant data was compromised," said one exasperated executive who declined to speak for the record. "It wasn't compromised because thieves didn't want it. No one cares how many lattes Harry's Coffee Shop sold last month compared to a year ago. What the thieves wanted was the card information that will let them steal the money-and that's what they got!"
Public reaction to the breach has been relatively slow in coming. CUNA Mutual Group released guidelines to help credit unions limit their damage from the breach and the insurer partnered with FIS to develop software to help credit unions streamline the fraud claims process (see related article, page 26).
The Washington Credit Union League seized on the breach as an indication that the state's credit unions and other card issuers strongly needed legislation to help them recoup some of the losses from the ongoing security problems.
"The state's credit union community is appalled, but unfortunately not very shocked, by the immense size of the Heartland data breach," said Washington Credit Union League CEO John Annaloro. "In far too many cases, negligent data breachers do business as if they were immunized from liability when they fail to protect their customers' personal information. In our view, if someone's careless actions result in a financial loss to others, they should have to pay for it."
"While there are processes that are supposed to provide some reimbursement for fraud losses, the truth is that these processes only recoup pennies on the dollar," said Stacy Augustine, the Washington Credit Union League Senior Vice President in charge of government relations. "More importantly, the costs that are recouped don't pay anything toward costs associated with a financial institution's proactive steps to protect consumers from fraud and identity theft."
Card industry executives said that the breach merely points out the fallacy of the considering PCI Security Standards Council as some sort of shield against thieves.
"I will give them [Heartland] the benefit of the doubt and say they probably were audited as compliant with PCI," said one. "But as we have learned, that doesn't mean anything. Its not when was I last compliant but am I compliant now and what am I doing to remain compliant tomorrow."