PHILADELPHIA — Two Pennsylvania law firms have filed class-action suits against Heartland Payment Systems on behalf of all cardholders in the United States whose credit or debit card data was stolen from Heartland Payment Systems’ processing network.
Heartland disclosed last month that an investigation had uncovered “malicious software” that compromised data that crossed its network. The company delivers card processing, payroll, check management and payment solutions to more than 250,000 business locations nationwide, and processes more than 100 million credit-card transactions monthly.
The payment processor reported that no confidential merchant data, Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers were retrieved in what is believed to be a global cyber-fraud operation. Officials were uncertain how many card numbers were obtained.
In a suit filed on Jan. 27, Chimicles & Tikellis LLP (Haverford, PA) claims that Heartland failed to implement proper controls because it only became aware of the breach after it was notified of patterns of fraudulent credit-card activity by Visa and MasterCard. The suit also charges that Heartland has made “unreasonably belated and inaccurate statements concerning the breach” and has not offered any credit-monitoring services or other relief to consumers affected by it.
Berger & Montague PC (Philadelphia) filed a class-action suit on Jan. 29 that seeks to redress Heartland’s failure to safeguard cardholder data. Data thieves reportedly installed malicious software on Heartland’s payment processing network as early as May 2008. In late fall 2008, Visa and MasterCard alerted Heartland to suspicious activity on cards that Heartland previously processed. Berger & Montague charges that “the lengthy delay between when the intrusion began and when it was contained reflects the inadequacy of Heartland’s security measures and intrusion detection systems.”
Following his announcement of the security breach, Heartland founder, chairman and chief executive Bob Carr issued a call for “industry cooperation to fight cyber criminals and adoption of end-to-end encryption.” Carr is said to be a strong advocate of end-to-end encryption, which protects data at rest and in motion, as an improved and safer payments security standard.
Berger & Montague was co-lead counsel in a data breach class-action suit against TJX Cos. Inc., owner of TJ Maxx, Marshalls, A.J. Wright and HomeGoods, stemming from the then-largest theft of credit-card information in history. That case settled in 2008 for benefits valued at over $200 million.