A Pennsylvania law firm filed the first lawsuit last week against payment processor Heartland Payment Systems, claiming that the company waited to tell consumers about the breach and failed to protect sensitive data.
The class-action lawsuit, filed by Chimicles & Tikellis LLP, claims that, because Heartland did not know of the breach until it was notified of credit-card fraud by Visa and Mastercard, the the company had not implemented all the controls required by the Payment Card Industry (PCI) Data Security Standard. The lawsuit also states that the company's announcement of the breach on the same day as President Barack Obama's inauguration was "questionable timing" and that the company has not offered any compensation to affected consumers.
"Possibly millions of consumers across the United States have had their Sensitive Financial Information compromised, have had their privacy rights violated, have experienced unauthorized credit card charges, have been exposed to the risk of fraud and identity theft, and have otherwise suffered damages," the lawsuit claims.
Heartland Payment Systems processes approximately 100 million credit- and debit-card transactions every month on behalf of 250,000 small businesses. If the company had been breached in October 2008, as suggested in the lawsuit, then the breach could be the largest on record. Following the disclosure of a breach by retail giant TJX in 2007, numerous lawsuits were filed on behalf of banks and consumers. Evidence presented in one lawsuit revealed that the number of accounts exposed by the compromise was double -- nearly 100 million -- what had publicly been stated.
Last week, Heartland's CEO apologized for the breach.
"I sincerely regret any inconvenience caused by the data breach that occurred within our processing system during 2008," Robert Carr, chairman and CEO of Heartland Payment Systems, said in a statement. "Heartland understands the concern this breach has generated, and our goal is to transform this event into a positive outcome for the public, card issuers and other payment processors."
UPDATE: The article was updated with a link to the lawsuit.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos