Recognizing The Different Types of Injured ID-Theft Victims
Slumping Economy Makes It Harder For Consumers To Recover From ID-Theft

Consequences of the Heartland Data Breach

About a week ago, my friend Janet (not her real name) received a phone call from Visa about suspect charges on Janet's Visa credit card through her credit union. Janet asked me not to disclose the name of her credit union, but it is a well-known higher education credit union located in the Northeast.

Janet asked me what she should do next. Her story has implications for many consumers.

Visa was proactive with contacting Janet about several small charges. Visa wanted to know if the charges were valid. Together, the five charges were less than $50 total, but Visa explained to Janet that often identity thieves and fraudsters submit small charges first. The identity thieves hope that the charges go paid and unnoticed, since many consumers don't check their monthly credit card statement. The real damage is done later when large, fraudulent charges are submitted.

Janet informed Visa that the charge were indeed bogus. Visa closed her credit card account and opened a replacement account. Visa also said that they were going to send Janet an affidavit to sign, indicating that the charges were were indeed fraudulent, which Janet must sign and return to Visa.

My advice to Janet:

  1. Keep breathing. Yes, identity theft is scary but her situation is manageable. It definitely seemed that fraudster had obtained her credit card number, if not more sensitive personal data.
  2. Definitely sign the form and return it to Visa via Certified postal snail-mail with a return receipt requested. That way she'd have a written record of when Visa received her signed form.
  3. Keep a copy of the signed form for her records.
  4. File a police report with her local police department, and attach a copy of the affidavit if needed.
  5. Definitely accept the new credit card account Visa had arranged
  6. Check her credit reports for any bogus entries. (Janet had already placed a Security Freeze on her credit reports years previously, when this became available in Massachusetts.)
  7. Inform her credit card issuers of her upcoming travel abroad, so they know that credit card purchases in certain countries within certain dates will be valid charges; and do not suspend or close her credit card accounts
  8. File a complaint with the U.S. Federal Trade Commission, since the FTC tracks fraud and relies upon consumers to notify it
  9. Check her monthly credit card statement closely for bogus charges. Janet said that she already did this regularly and would continue doing so.

Then, I asked Janet if her credit union or Visa had mentioned the Heartland Payment Systems vendor. Like most consumers, Janet hadn't heard of Heartland since Heartland isn't a vendor consumers usually do business with. Janet, like most consumers, is familiar with the credit card companies and banks.

I briefly explained to Janet the Heartland data breach, how hundreds of thousands of credit card numbers were exposed/stolen, and how Heartland isn't sure exactly how many credit/debit card accounts were exposed/stolen. A January 2009 Washington Post story mentioned that the Heartland breach may be the largest breach ever for the number of accounts stolen. Janet said that she'd ask Visa about it the next time she talked with them on the phone.

A few days later, Janet informed me that Visa confirmed that they use Heartland to process credit card transactions, and that this was probably a result of the Heartland breach. Janet's story has several implications for consumers:

What bothers me about Janet's story is:

  • As of April 12, the Heartland breach site still does not disclose the number of consumers' credit/debit card accounts affected by its data breach. Either the company knows and refuses to say, or they don't know the number affected. If Heartland knows, then the number must be huge -- bigger than the TJX debacle
  • Consumers like Janet are not being informed that their credit/debit accounts may have been affected (e.g., stolen) during the Heartland data breach. This seems to contradiction states' laws requiring consumer notification
  • At its breach web site, Heartland encourages companies not to take any action about the Heartland breach since things will be fixed soon. Huh? Consumers have been affected. This "take no action" advice seems to also apply to communications to consumers. After all of the problems in the financial and banking industry during the past year, I would have thought that Heartland would understand the benefits of transparency about communications. Keeping secrets does damage, and consumers' trust is damaged or broken by secrets
  • Janet's credit union doesn't seem to have provided much help, so far

To be fair, this week Janet plans to contact her credit union for more information and to see what they are doing about the fraud. Maybe Janet's credit union is following Heartland's advice.

If you have experienced fraud recently on your credit card or debit card account, I hope that you'll follow Janet's lead to protect yourself and your sensitive personal data. If you want to share your story below, it would be appreciated.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Account Deleted

thanks for the info..its a great help.i think people should know about this aside from me..its a great help..especially the tips..

The comments to this entry are closed.