Heartland Payment Systems Breach, What Lessons to be Learned
Table of Contents
- By David Lukic
- Nov 27, 2020
Much like the story of the Titanic, the Heartland payment systems breach teaches us that you can never be too confident. Back in 2008/2009, Heartland Payment Systems suffered a massive data breach at the hands of two Russian hackers who installed malware on their systems and exploited SQL vulnerabilities. They made off with 100 million debit and credit card numbers. The scandal hit Heartland pretty hard, and they took cybersecurity seriously and implemented dozens of security measures. But they got a bit too confident. In 2015, they issued this data breach warranty to their customers:
“Heartland Payment Systems is so confident in the security of its payment processing technology that, on Jan. 12, it announced a new breach warranty for its users. The warranty program will reimburse merchants for costs incurred from a data breach that involves the Heartland Secure credit card payment processing system.”
Unfortunately, after the first Heartland breach, on May 8, 2015, Albert Gonzales broke into their offices and stole unencrypted computers with details on payroll customers like social security numbers and banking information. Their boldness cost them $140 million in fines and penalties as a result.
When Was the Heartland Data Breach?
The first Heartland Payment Systems security breach occurred back in 2008 and 2009. The latest data breach occurred in May of 2015 and was perpetrated by only one man who was sentenced to 20 years in federal prison.
How to Check if Your Data Was Breached
If you were a payroll customer of Heartland Payment Systems in 2015, you were most likely affected by the data breach. The earlier breach was much more expansive, and you would have been contacted by Heartland to respond. Once the dust settled on this latest breach, Heartland paid the fees and alerted their customers but lost market share in the mix.
What to Do if Your Data Was Breached
If you were affected by the Heartland Payment Systems breach, you should take some precautionary measures and formulate an ongoing plan of continued diligence.
- Cancel any credit cards related to or used by Heartland Payment Systems.
- Contact your bank and have your bank account number changed.
- Routinely get a copy of your credit report and sign up for monitoring (IDStrong.com does both of those for you).
- Check your credit card and bank statements carefully, always watchful for fraud.
How Did Heartland Payment Systems Respond?
Soon after the May 2015 incident, Heartland responded with a statement:
“We have involved state and federal regulatory and law enforcement agencies to assist us in determining how to proceed with the matter at hand. Heartland continues to monitor the situation carefully and has increased its internal security and review procedures to watch for any unusual activity.”
From 2009 until 2015, Heartland thought they were un-hackable, but they didn’t count on the theft of their computers. Hopefully, after this, they will take additional steps to secure the physical hardware residing in their offices and encrypt all data everywhere.
Can Heartland Security Breach Information be Used for Identity Theft?
Yes. The information acquired by hackers and the thief were enough to steal your identity. Many customers lost names, email addresses, home addresses, social security numbers, and other personal banking details. All criminals need is a thread to pull before your entire identity unravels before them. Be extra cautious about phishing emails after a data breach.
What to Do to Protect Yourself
Data breaches seem to be a regular occurrence in all areas of life these days. It may seem impossible to protect yourself, but it is not. Simply employing a bit of common sense can go a long way. These steps should also help you stay safe:
- Keep your computer updated with security patches and antivirus software; run deep scans often.
- Change your online passwords frequently and use really long, complex ones.
- Consider a credit freeze to keep criminals from opening new accounts in your name.
- Never give out your personal details to anyone who contacts you via phone or email.
- Do not click links or open attachments in email.
- Watch out for phishing scams and other suspicious (urgent) emails.
- Always sign up for 2-factor authentication when it is offered on websites.