Heartland breach prompts fraud concerns
By DENIS PAISTE
The Union Leader
updated 12:49 a.m. ET, Sat., Jan. 31, 2009
MANCHESTER - Several local financial institutions are replacing cards for
customers caught
up in the Heartland Payment Systems data security breach.
St. Mary's Bank and Triangle Credit Union this week said they opted to replace
cards to protect
their customers from potential fraud.
At St. Mary's Bank, Chief Administrative Officer Don Stevens said, "After
reviewing the details
of the breach, we saw an opportunity to get out ahead . . . and reissue the
cards right away.
"We thought it was the right thing to do in protecting our members," he said.
Bellwether Community Credit Union also plans to reissue cards.
TD Banknorth is not reissuing cards, but said it remains watchful, using
fraud-detection software
to monitor customer accounts rather than undertaking a mass reissue of credit
and debit cards.
Spokesman Jennifer Carlson said TD Banknorth had not detected any fraud on
customer
accounts and no fraud had been reported by customers.
Heartland CEO Robert O. Carr apologized for the breach on Monday in a letter
posted on the
Princeton, N.J.-based company's Web site. The company -- a credit and debit card
payment
processor -- first disclosed the breach on Jan. 20.
Heartland said last week an investigation uncovered malicious software that
compromised data
that crossed Heartland's network.
"We will not rest until we have the answers to how and why this breach occurred
so we can
prevent future attacks at Heartland and elsewhere. We are coordinating with the
Secret Service
and the United States Department of Justice to resolve this issue," Carr wrote.
But Michael Cherry, president of Cyber Security International, was critical of
Heartland.
"It (credit card processing) is a closed loop. How did they get invaded with
malware? The
obvious way is unrelated Internet surfing," he said.
"That, of course, would be carelessness," Cherry said. "They need to quarantine,
the way
trading floor systems do.
"I've yet to see one big breach that wasn't readily avoidable, including
Hannaford," he said. Last
March, Hannaford Bros. supermarket chain said a breach of its computer system
affected
customer cards used at stores in New Hampshire, Maine, Massachusetts, New York
and
Vermont.
Heartland spokesman Jason Maloni could not immediately say whether the company's
computer processing system was a closed loop or open to the Internet.
New Hampshire bankers and credit union officials are upset that they bear the
financial losses
from card fraud even when they are not at fault.
"We don't believe the blame and the responsibility ever goes to the right spot,"
New Hampshire
Bankers Association President Gerald H. Little said.
"The consumers get mad at the bank for something that's not their fault," he
said. "They place
responsibility on (banks) for a breach at a processor in some other state used
by a vendor
where the customer used their card, but at the end of the day, everybody thinks
it's the banks'
issue, where it was not."
Nathan Saller, vice president of marketing at Bellwether Community Credit,
agreed that
merchants and merchant processors need to take some liability for breaches and
fraud.
"That's what has to change so that this isn't happening, because right now it
seems that this is
some of the weaker links in the system that these hackers are going after,"
Saller said.
"Either some changes from MasterCard or Visa or legislation to that effect" are
needed, he said.
Saller said Bellwether would reissue both MasterCard and Visa debit and credit
cards.
St. Mary's Bank estimated it would replace about 900 cards at a cost of between
$7,500 and
$10,000.
Liz Stodolski, spokesman for St. Mary's, said the credit union sent letters to
its customers and
made personal calls to them within two days of learning of the breach.
Triangle Credit Union controller Scott MacKnight said, "In order to protect our
members, we felt
it was necessary to reissue them (cards).''
Heartland has set up a Web site, www.2008breach.com, and a toll-free line at
866-399-6228.
Customers can also e-mail 2008breach@e-hps.com.
Discover is also monitoring accounts for suspicious activity and reissuing cards
as appropriate.
Affected cardholders are not responsible for any unauthorized charges on their
account.
Cardholders who believe their account may have been affected can call
1-800-DISCOVER.