One million plus people gathered on the National Mall, huddled around jumbotron screens as much as two miles from the actual ceremony just for an opportunity to say they were there. Some estimate that it may have been the most watched event in television history as millions of Americans, and millions more from every corner of the world, tuned in to watch the historic event.
As the dust settled though, another story emerged. A credit card processing company made an announcement- seemingly timed to be obscured by the hoopla of Inauguration Day while people were too distracted to pay attention.
Eventually though, someone looked at the announcement. Heartland Payment Systems, a credit and debit card processing company that processes approximately 100 million transactions per month, disclosed that there had been a compromise of their security and a data breach of credit card informtion that had been going on for months.
Many of the details have not been disclosed, but one estimate states that the breach had occurred as far back as May of 2008. At 100 million transactions per month, that could potentially amount to 900 million to 1 billion credit card transactions that could have been captured- easily dwarfing the TJX breach, the current holder of the "Biggest Data Breach in History" title.
TJX had their own sneaky, last minute, announcement under the radar this week as well. They demonstrated how much they appreciate their customers by holding a Customer Appreciation Day sale on a random Thursday in the middle of January two years after they announced that they intended to conduct the sale to make amends with their customers after their data breach. The Customer Appreciation Day event had virtually no marketing and was announced with about 24 hours notice. It seems to me that they wanted to make sure as few customers as possible got to experience their appreciation. But, I digress.
The media have jumped all over the Heartland breach and dubbed it the new "Biggest Data Breach in History". Chicken Littles are everywhere claiming the sky is falling. Is this really a crisis though, or just hype?
A reader commented about the TJX situation and linked to an article he had written claiming that the world had over-reacted to the TJX data breach. I refuted the comment, but upon further reflection I think his post has more merit than I gave it credit for.
Michael Santarcangelo wrote a similarly themed article about this latest breach titled Heartland Breach: Crying Wolf Doesn't Protect Data. The point of both of these articles is that the way breaches are quantified leads to sensational headlines, but historically few actual cases of fraud or identity theft historically speaking.
When a retail chain loses a data backup tape with information on 5 million customer accounts, it is deemed a breach of 5 million accounts. The reality is that the tape might just be lost or mis-placed. Perhaps it was accidentally discarded and it is sitting in a landfill. Maybe someone did steal it, but does not have the foresight or skills to understand or use the information it contains. There are a wide variety of scenarios in which the tape can be gone, yet no actual risk exists for the 5 million customers.
In the case of Heartland Payment Systems, there are already cases of fraud. It was Visa and Mastercard detecting fraudulent activity and notifying Heartland Payment Systems that led them to investigate and learn about the breach at all. However, it is difficult to know whether the extent of the actual compromise is 1 billion credit card accounts, or 100 credit card accounts. Until they are actually victimized with fraudulent purchases or identity theft of some sort, it is all just speculation and hype.
The other side of the issue though is that they have to do something proactive to protect consumers. They had an obligation to secure and protect the data they were trusted with and they failed. I wouldn't suggest that they preemptively replace hundreds of millions of credit cards, but I also don't suggest they do nothing and leave the burden on the consumers to detect and report individual cases of fraud.
The response to the breach should be a rational one. Heartland Payment Systems, their customers, and the credit card providers need to look past the sensational hype and try to learn what really happened and what the real potential risk is. They have to be proactive, but they don't have to over-react.
I do question the ethical implications of trying to bury the story by announcing it on Inauguration Day. It seems to imply they have something more to hide. But, until or unless that is proven true consumers should ignore the hype and speculation and focus on sound principles for protecting themselves against identity theft.