local News Manchester, NH
Heartland breach prompts fraud concerns
By DENIS PAISTE
The Union Leader
updated 12:49 a.m. ET, Sat., Jan. 31, 2009
MANCHESTER - Several local financial institutions are replacing cards for customers caught
up in the Heartland Payment Systems data security breach.
St. Mary's Bank and Triangle Credit Union this week said they opted to replace cards to protect
their customers from potential fraud.
At St. Mary's Bank, Chief Administrative Officer Don Stevens said, "After reviewing the details
of the breach, we saw an opportunity to get out ahead . . . and reissue the cards right away.
"We thought it was the right thing to do in protecting our members," he said.
Bellwether Community Credit Union also plans to reissue cards.
TD Banknorth is not reissuing cards, but said it remains watchful, using fraud-detection software
to monitor customer accounts rather than undertaking a mass reissue of credit and debit cards.
Spokesman Jennifer Carlson said TD Banknorth had not detected any fraud on customer
accounts and no fraud had been reported by customers.
Heartland CEO Robert O. Carr apologized for the breach on Monday in a letter posted on the
Princeton, N.J.-based company's Web site. The company -- a credit and debit card payment
processor -- first disclosed the breach on Jan. 20.
Heartland said last week an investigation uncovered malicious software that compromised data
that crossed Heartland's network.
"We will not rest until we have the answers to how and why this breach occurred so we can
prevent future attacks at Heartland and elsewhere. We are coordinating with the Secret Service
and the United States Department of Justice to resolve this issue," Carr wrote.
But Michael Cherry, president of Cyber Security International, was critical of Heartland.
"It (credit card processing) is a closed loop. How did they get invaded with malware? The
obvious way is unrelated Internet surfing," he said.
"That, of course, would be carelessness," Cherry said. "They need to quarantine, the way
trading floor systems do.
"I've yet to see one big breach that wasn't readily avoidable, including Hannaford," he said. Last
March, Hannaford Bros. supermarket chain said a breach of its computer system affected
customer cards used at stores in New Hampshire, Maine, Massachusetts, New York and
Heartland spokesman Jason Maloni could not immediately say whether the company's
computer processing system was a closed loop or open to the Internet.
New Hampshire bankers and credit union officials are upset that they bear the financial losses
from card fraud even when they are not at fault.
"We don't believe the blame and the responsibility ever goes to the right spot," New Hampshire
Bankers Association President Gerald H. Little said.
"The consumers get mad at the bank for something that's not their fault," he said. "They place
responsibility on (banks) for a breach at a processor in some other state used by a vendor
where the customer used their card, but at the end of the day, everybody thinks it's the banks'
issue, where it was not."
Nathan Saller, vice president of marketing at Bellwether Community Credit, agreed that
merchants and merchant processors need to take some liability for breaches and fraud.
"That's what has to change so that this isn't happening, because right now it seems that this is
some of the weaker links in the system that these hackers are going after," Saller said.
"Either some changes from MasterCard or Visa or legislation to that effect" are needed, he said.
Saller said Bellwether would reissue both MasterCard and Visa debit and credit cards.
St. Mary's Bank estimated it would replace about 900 cards at a cost of between $7,500 and
Liz Stodolski, spokesman for St. Mary's, said the credit union sent letters to its customers and
made personal calls to them within two days of learning of the breach.
Triangle Credit Union controller Scott MacKnight said, "In order to protect our members, we felt
it was necessary to reissue them (cards).''
Heartland has set up a Web site, www.2008breach.com, and a toll-free line at 866-399-6228.
Customers can also e-mail firstname.lastname@example.org.
Discover is also monitoring accounts for suspicious activity and reissuing cards as appropriate.
Affected cardholders are not responsible for any unauthorized charges on their account.
Cardholders who believe their account may have been affected can call 1-800-DISCOVER.