This past week, Heartland Payment Systems (HPY) announced that a system they use to process over 100 million payment card transactions per month had been hacked during 2008 and that intruders may have had access to personal information of cardholders for over several months.
USA’s article on this topic titled Hackers breach Heartland Payment credit card system notes that “Heartland’s disclosure coincides with reports of heightened criminal activities involving stolen payment card numbers. Security firm CardCops has been tracking a 20% year-over-year increase in Internet chat room activity where hackers test batches of payment card numbers to make sure that they’re active.”
Experts conclude that this may be the largest data breach in history, possibly larger than the infamous TJX breach that exposed 94 million customers’ records in 2007. As of now, Heartland does not know how many of their cardholders were affected but stated that they plan to notify them once they have sorted this out.
This breach is a perfect illustration of how an organization may believe themselves “secure” because they comply with relevant security and privacy regulations. In this case, Heartland is PCI compliant, the Payment Card Industry data security standard that Visa and MasterCard require, but obviously this wasn’t sufficient to ensure cardholder data is safeguarded.
Because most organizations that hold PII (personally identifiable information) on their customers make significant security investments and comply with numerous regulations and standards, there obviously remains an issue with knowing how best to prevent the breach of PII.
The business impact of this type of data breach is now becoming obvious. Heartland lost over $180MM in shareholder value, over 35%, in the five days following the public announcement of this breach. With the potential for this type of decline in market value, companies must begin to look harder at measures that are more specifically targeted to the prevention data breaches.