Heartland Lawsuit Dismissed, “Insufficient Evidence” Of Weak Security

Written by Evan Schuman
December 10th, 2009

A federal judge dismissed a data breach-related lawsuit against Heartland Payment Systems on Monday (Dec. 7), saying that the plaintiffs hadn’t proved any of their allegations that Heartland knew it had inadequate security and lied about it to shareholders. The judge’s detailed ruling sheds light on the environment data breach retail victims are likely to face in court and could provide some guidance on how they should act when discussing those breaches.

Unlike earlier retail data breach lawsuits—typically with consumers or banks as plaintiffs—this was a shareholder action and merely needed to prove that Heartland execs misled the public about their security status. U.S. District Court Judge Anne E. Thompson, sitting in New Jersey, concluded Heartland execs had not.

The Heartland incident that prompted the lawsuit started in December 2007 when a group of cyberthieves led by Albert Gonzalez (who just this month agreed to plead guilty to breaking into Heartland’s servers) broke into Heartland’s payroll system via a SQL attack. Heartland’s people spent much of January 2008 cleaning up the payroll mess, ultimately concluding that no data was taken from the payroll program.

But what Heartland’s people didn’t know at the time, Thompson wrote in her decision, was that Gonzalez’s team had hidden another program in the system, one that infected payment processing. Whether the payroll program attack failed or if it had always been intended to be a distraction, giving Heartland the false belief that the threat had been neutralized, is still unknown.

What is known is that the payment processing attack was quite effective. Thompson said that 130 million credit and debit card numbers were stolen in 2008 and that Heartland officials didn’t figure out what was going on until mid-January 2009. It disclosed the credit card breach about a week later.

Heartland’s stock price plunged. “Following this disclosure and subsequent disclosures about the possible impact that the thefts might have on Heartland’s business, Heartland’s stock price dropped from more than $15 per share on January 19 to $5.34 per share by February 24,” Thompson wrote. “If measured from its highest price during 2008, Heartland’s stock suffered a total decline in value of almost 80 percent. Plaintiffs, who purchased stock during 2008, suffered significant losses as a result of this decline in value.”

The lawsuit said that Heartland executives lied about what they knew about the attacks in earnings conference calls and in federal SEC filings.

“Plaintiffs contend that when asked about security incidents that occurred in 2007, Defendants concealed the SQL attack. They also contend that Defendants made statements to the effect that Heartland had adequate security systems and that Heartland took the issue of computer network security very seriously,” the judge wrote. “Plaintiffs argue that these statements concerning the general state of security at Heartland are fraudulent because (CEO Robert) Carr and (CFO Robert) Baldwin were aware that Heartland had poor data security and had not remedied the problem.”

The judge discussed the exchange on the Feb. 13, 2008, earnings call. “During the conference call, Carr and Baldwin discussed certain information technology and security expenditures that Heartland made during the last quarter of 2007. These general remarks prompted a couple analysts to ask whether there was any specific security incident that prompted Heartland to make those expenditures, to which Defendants basically answered, ‘No.’ Plaintiffs allege that this was untruthful because it conceals the fact that Heartland suffered the SQL attack.”


5 Comments | Read Heartland Lawsuit Dismissed, “Insufficient Evidence” Of Weak Security

  1. Anthony M. Freed Says:

    As far as I know, the SEC investigation is still underway, and an indictment would certainly see this lawsuit revisited, perhaps in another jurisdiction – either where a plaintiff resides, where a data center is located, or Cal-litigate-afornia, where it fairly easy to sue anyone.

    The judge’s opinion was strong regarding the likelihood that Carr and Baldwin will be sanctioned for misleading statements to investors, but it certainly did not dismiss the notion that material adverse information was deliberately withheld from investors between December of 2007 and January of 2009.

    The dismissal also does little to undermine charges of possible insider trading by HPS executives, the crux of the SEC investigation.

    And let us not forget that more financial impact form the breach cleanup is to be expected, which already had Heartland backpedaling on their last quarterly earnings statement to the tune of nearly $80M.

    The ruling was definitely a victory for Heartland, but potential liabilities still threaten the company’s viability, with a their market cap at about $430m.

    If Heartland’s liabilities begin to approach the $200m to $250m range, Heartland could likely file for BK. We certainly have not heard the last of this breach.

  2. Evan Schuman Says:

    Anthony is clearly correct that anyone can sue anyone for anything in this country and the SEC can probe almost anything it wants. But whether or not you happen to agree with the federal judge’s decision in this case, her decision was clearly articulate. In other words, she laid out her thinking and evidence for all to see, so observers can judge for themselves whether the ruling has merit.
    But I do take slight exception to Anthony’s comment that the judge’s ruling “certainly did not dismiss the notion that material adverse information was deliberately withheld from investors between December of 2007 and January of 2009.” Actually, it did indeed dismiss that. That was the basis of her ruling, that she saw no material information deliberately withheld from anybody. You can certainly disagree with her conclusion but you can’t say that she didn’t dismiss that scenario. She clearly did.

  3. Anthony M. Freed Says:

    Very true – and I should clarify by saying that given the outcome of the SEC investigation, Heartland executives could very well face a charge of withholding material information both criminally and in civil litigation.

    The judges decision is not based on all the facts and information that may be available after the SEC weighs in, but is based on the facts and arguments presented in the plaintiffs complaint, which was dismissed.

    And a dismissal is not an acquittal. It does not necessarily reflect on the validity of the allegations per se, as much as it is a ruling on the validity of the complaint as filed.

    I would not rule anything out yet.

  4. Evan Schuman Says:

    It’s absolutely fair to say that an SEC probe could easily be aware of things that the a civil lawsuit judge may not.
    But, to be fair, a dismissal in a federal civil lawsuit is more significant than you’re suggesting. It either indicates a lack of validity to the complaint or VERY bad counsel filing that complaint. The threshold to have a civil lawsuit proceed to trial is quite low in the U.S., and I’ve covered enough ludicrous civil trials to know that all too well.
    For a judge–especially a federal judge–to dismiss a lawsuit, the judge pretty much has to conclude that the accusations and support points made are absolutely without merit. In this instance, the complaint didn’t even support its own accusations. It’s not like the plaintiffs accused Heartland of XXXX and Heartland disputed it with documents or a witness. The judge looked at the plaintiff’s own claims and concluded that they weren’t making a good enough case to even go to trial.
    Again, Anthony, I’m agreeing with you that an SEC probe could go in a different direction, but let’s not make light of a federal judge ordering a complete dismissal with prejudice. That’s not something that happens every day.

  5. Anthony M. Freed Says:



StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.