FTC Mum on Heartland BreachCardSystems Case Shows How Similar Investigation was Handled Who will investigate the Heartland Payment Systems (HPY) data breach?
As a non-banking financial services entity, Heartland falls under the auspices of the Federal Trade Commission (FTC). So far, the FTC is mum on the case. "Our policies keep us from either confirming or denying a non-public investigation," says Jessica Rich, Assistant Director in the FTC's Division of Privacy and Identity Protection, Bureau of Consumer Protection.
But if you look back at recent history to the CardSystems Solutions Inc. case of 2005, you gain insight into how the FTC handles such cases.
CardSystems: What Happened
At the time it was discovered in 2005, CardSystems' breach of 40 million consumer credit/debit cards was the largest known compromise of financial data. CardSystems was the first credit card processor that the FTC prosecuted for failing to take appropriate security measures to protect sensitive information. The FTC said as a result of the breach there were millions of dollars of fraudulent purchases made. FTC's settlement required CardSystems (by then it was owned by Pay By Touch, another payment processor) to implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years. There was no fine levied against CardSystems, but the FTC did say that the company would be liable for any lawsuits against it from financial institutions or customers.
The FTC found that the payment processor had kept information it had no reason to keep and then stored it in a way that put consumers' financial information at risk. The FTC found CardSystems provided merchants with products and services used in "authorization processing" - obtaining approval for credit and debit card purchases from the banks that issued the cards. In 2005, it processed about 210 million card purchases, totaling more than $15 billion, for more than 119,000 small and mid-size merchants. In processing these transactions, CardSystems collected personal information from the magnetic strip on the card, including the card number, expiration date and other data. CardSystems then stored this information on its computer network, where hackers broke in and took the millions of credit and debit card accounts.
The FTC charged that CardSystems failed to provide reasonable and appropriate security for sensitive consumer information, specifically that it:
Pay By Touch filed for bankruptcy in 2007 and finally closed its doors in March 2008.