Heartland Lawsuit Dismissed, “Insufficient Evidence” Of Weak SecurityWritten by Evan Schuman
A federal judge dismissed a data breach-related lawsuit against Heartland Payment Systems on Monday (Dec. 7), saying that the plaintiffs hadn’t proved any of their allegations that Heartland knew it had inadequate security and lied about it to shareholders. The judge’s detailed ruling sheds light on the environment data breach retail victims are likely to face in court and could provide some guidance on how they should act when discussing those breaches.
Unlike earlier retail data breach lawsuits—typically with consumers or banks as plaintiffs—this was a shareholder action and merely needed to prove that Heartland execs misled the public about their security status. U.S. District Court Judge Anne E. Thompson, sitting in New Jersey, concluded Heartland execs had not.
The Heartland incident that prompted the lawsuit started in December 2007 when a group of cyberthieves led by Albert Gonzalez (who just this month agreed to plead guilty to breaking into Heartland’s servers) broke into Heartland’s payroll system via a SQL attack. Heartland’s people spent much of January 2008 cleaning up the payroll mess, ultimately concluding that no data was taken from the payroll program.
But what Heartland’s people didn’t know at the time, Thompson wrote in her decision, was that Gonzalez’s team had hidden another program in the system, one that infected payment processing. Whether the payroll program attack failed or if it had always been intended to be a distraction, giving Heartland the false belief that the threat had been neutralized, is still unknown.
What is known is that the payment processing attack was quite effective. Thompson said that 130 million credit and debit card numbers were stolen in 2008 and that Heartland officials didn’t figure out what was going on until mid-January 2009. It disclosed the credit card breach about a week later.
Heartland’s stock price plunged. “Following this disclosure and subsequent disclosures about the possible impact that the thefts might have on Heartland’s business, Heartland’s stock price dropped from more than $15 per share on January 19 to $5.34 per share by February 24,” Thompson wrote. “If measured from its highest price during 2008, Heartland’s stock suffered a total decline in value of almost 80 percent. Plaintiffs, who purchased stock during 2008, suffered significant losses as a result of this decline in value.”
The lawsuit said that Heartland executives lied about what they knew about the attacks in earnings conference calls and in federal SEC filings.
“Plaintiffs contend that when asked about security incidents that occurred in 2007, Defendants concealed the SQL attack. They also contend that Defendants made statements to the effect that Heartland had adequate security systems and that Heartland took the issue of computer network security very seriously,” the judge wrote. “Plaintiffs argue that these statements concerning the general state of security at Heartland are fraudulent because (CEO Robert) Carr and (CFO Robert) Baldwin were aware that Heartland had poor data security and had not remedied the problem.”
The judge discussed the exchange on the Feb. 13, 2008, earnings call. “During the conference call, Carr and Baldwin discussed certain information technology and security expenditures that Heartland made during the last quarter of 2007. These general remarks prompted a couple analysts to ask whether there was any specific security incident that prompted Heartland to make those expenditures, to which Defendants basically answered, ‘No.’ Plaintiffs allege that this was untruthful because it conceals the fact that Heartland suffered the SQL attack.”