Earlier this week, Bank Info Security reported that two Philadelphia-based law firms had filed class-action suits on behalf of all debit- and credit-card holders in the U.S. who had their data stolen in the Heartland data breach:
"The law firm of Berger & Montague filed a class action suit in the U.S. District Court for the District of New Jersey, alleging Heartland's failure to safeguard cardholder data when the company's computer systems were hacked and cardholder data was stolen... Berger & Montague were also co-lead counsel in the consumer class action suit brought against TJX Companies, which resulted in a $200 million settlement. The third class action lawsuit filed in February against Heartland comes from Sheller P.C. of Philadelphia, PA. Sheller's suit against Heartland has similar charges against the payment processor. Sheller P.C. also filed its class action lawsuit in the U.S. District Court for the District of New Jersey."
According to various news reports, Heartland announced on January 20, 2009 that the sensitive financial information that it handles was stolen: consumers' names, credit card and debit card numbers, and expiration dates. The breach occurred sometime during 2008 when malicious software was installed on Heartland's computer network. Heartland said that it processed about 100 million card transactions per month during 2008, but an unknown number of cards were affected by the breach. Fraudulent activity has already occurred on some of those cards.
This data breach was massive. So far, about 330 financial institutions have reported their customers' cards were compromised because of the breach. Those cards must be replaced, old accounts closed, and new replacement accounts opened. All of this costs money and somebody will pay -- hopefully Heartland.
When companies fail to adequately protect consumers' sensitive personal data, there are several consequences. One consequence: consumers can stop shopping at that company, provided it is a retailer. When the company isn't a retailer, other consequences can be applied, such as a class-action lawsuit. Kudos to both Berger & Montague and Sheller PC.
Thanks George. I started an article last night concerning the written policy program that every business better get going on and pretty quick. I am asking everyone to ask to see the policy of each business they do or might do business with. That includes banks. As you know banks have (mostly) completed their red flags compliance but I have found proof that the employees from management down have no clue about the policy, and have recieved no training on the policy. I am going to send you another article later today.
John
Posted by: John Taylor | Friday, March 13, 2009 at 11:24 AM