Impacts Continue From The Heartland Data Breach
Friday, March 19, 2010
"Around 5000 First National Bank of Durango customers have been unable to use their cards in stores, although they can still withdraw cash at ATMs. In a notice on its Web site, the bank says: "Please be aware that as a result of a security breach at Heartland Payment Systems that occurred over a year ago, debit cards issued by the First National Bank of Durango may have been compromised. It is important to note that there was not a security breach at First National Bank of Durango, our systems remain secure. The breach occurred at a 3rd party processor."
Reportedly, the First National Bank of Durango blocked payments after several customers contacted the bank about suspicious charges on their bills.
Are these continual post-breach impacts unusual? Experts say that this is to be expected. According to Bank Info Security:
"What happened to First National Bank of Durango is not unusual, says Avivah itan, Gartner distinguished analyst. "Typically the crooks will use stolen cards right after a heist until the looting is discovered and publicized in the media... At that point, the crooks will lie low and not use them because of heightened alerts that will flag and stop their use (e.g. because the cards are on watchlists). Then when time passes and the heat is off, "The crooks will rear their ugly heads and start using them again... Debra Geister, Senior Director, AML and Compliance Services at LexisNexis Risk Solutions, says this scenario is really no different from a sleeper scam, where the fraudsters sit back and wait until an opportune time to strike."
As I've written repeatedly in this blog, identity thieves are smart and persistent. The risks continue as long as the thieves believe that they can use the stolen information successfully, or resell it to others who can use it successfully.
After a data breach with debit/credit cards, banks block accounts and then re-issue cards with new account numbers as needed, since re-issuing cards is expensive. After a breach of sensitive personal information (e.g., Social Security number, birthdate, etc.), companies often offer free credit monitoring services for a year or two. This Heartland post-breach experience casts doubt on both practices since criminals don't magically give up after a year or two.
Comments
You can follow this conversation by subscribing to the comment feed for this post.