Living with credit, Protecting yourself, Research, regulation, industry reports

Heartland Payment Systems data breach claims a victim: me

Emily Crone

When I learned last week about what may have been the world’s largest payment card data breach, I knew there were going to be potentially millions of victims. What I didn’t expect is that I may be one of them.

This Monday afternoon, I opened my mailbox to find a letter from my issuer, Bank of America. Inside was a shiny, new replacement debit card. At first I was perplexed; my card was nowhere near its expiration date. I read the accompanying letter, addressed from Stacy A. Maschhoff, the Debit Card Operations Executive. It said the bank has learned that some of their check card information many have been compromised, and my card “may have been part of this compromise.” Ah ha. Thanks, Heartland Payment Systems, the source of the breach, which took place last year but was not discovered until Visa and MasterCard inquired about curious transactions, and was not publicly reported until Jan. 20, 2008.

To be on the safe side, Bank of America issued me a card with new numbers. I’m very curious as to how many cards they reissued. Perhaps they were given a list of all the merchants involved in the breach and decided to reissue cards for anybody who shopped at one of them.

The letter asked that I notify all of the merchants that I have recurring payments with and give them the new card information. Fortunately, almost all of my recurring payments are on my credit cards, so I don’t have much work to do. My old card will automatically be closed within 30 days, so I hope nobody does any damage with the old numbers until then.

While Heartland isn’t offering me any type of protection as a potential victim, I am happy to say that my bank is. The letter says the bank will be monitoring the activity on my checking account, and they will immediately notify me if they detect any suspicious transactions. Because of the free “Total Security Protection package” that comes with my card, I will be reimbursed for any unauthorized transactions as long they are reported (by me or the bank) within 60 days of my bank statement. I’ll be credited for the loss by the end of the next business day. “If it’s not your purchase, it’s not your problem,” Maschhoff’s letter says. Well, it is my problem if I live in Washington or Idaho; the fine print says this security feature isn’t available in those two states. Luckily for me, I reside in Texas.

Scope of problem unclear
The scope of the data breach still isn’t clear — some reports say data from as many as 100 million cards may have been intercepted by hacker-installed “sniffer” software. The reaction, however, is clear: It has put a spotlight on the increasing volume of data breaches, created massive headaches for card issuers, sparked a class action lawsuit and spurred warnings from Iowa to Vermont, from Florida to Guam.

In the state of Washington, it has put a breeze behind a credit union’s proposal to pass a state law forcing data transmitters such as Heartland to reimburse banks for the costs they cause.

Information, advice
The New Jersey-based Heartland has created a Web site,, to pass along information about the breach.

For those who may have been victims, the unanimous advice from all quarters is to step up their vigilance and monitor even more closely their credit card bills. Quickly report any suspicious activity.

Has anyone else received a breach-related replacement card in recent days?

See related: Few answers in massive security breach

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, we ask that you do not disclose confidential or personal information such as your bank account numbers, social security numbers, etc. Keep in mind that anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

  • John Franks, CIO

    Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and thefts are due to a lagging business culture and people aren’t getting the training they need. Absent a new eCulture, breaches will, and continue to, increase. For example: Microsoft patched for this worm 4 months ago. As CIO, I’m constantly seeking things that work, in hopes that good ideas make their way back to me – check your local library: A book that is required reading is “I.T. WARS: Managing the Business-Technology Weave in the New Millennium.” It also helps outside agencies understand your values and practices.
    The author, David Scott, has an interview that is a great exposure:
    The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
    In the realm of risk, unmanaged possibilities become probabilities read the book BEFORE you suffer a bad outcome or propagate one.

  • FYI, a bill (HB 345 in the House and SB 327 in the Senate) has been filed in this session of the Texas Legislature to reimburse credit unions and banks for these types of massive breaches.
    It’s a bill we supported in 2007 and it made it through the Texas House, but didn’t make it out of committee in the Senate.
    The bill would do one simple thing. It would require anyone who accepts credit or debit card payments to secure everyone’s financial identity – as they are already required to by contract. With one difference.
    They’d have to pay if they didn’t follow the rules.
    So keep an eye out at the Capitol in Austin. We may get better protection for consumers yet!

  • nick

    i left town armed with only my bank of america check card this weekend… a few declines was more than what i needed to call up boa and request an explanation. it took me 10 minutes to get the representative to give me a reason for my card declining and another 10 to get him to tell me the party at fault, heartland. thanks BOA for not sending me a letter. now i’m living my weekend away on IOUs.

  • Mike

    The only reason I can come up with for the fact of you being upset with Heartland is that you don’t understand the situation. You want to use your credit card or debit card for purchases (which means you probably can’t afford them so you put yourself in debt) has to be able to use the card, if it weren’t for companies like Heartland you wouldn’t be able to use your card. There has to be a processor which is what Heartland does. Your bank can’t do it, you card can’t do it on it’s own. I am sure that Heartland or any other company like them asked for someone to hack into their system. You can’t be mad at Heartland for not knowing or maybe not releasing the info sooner. What is wrong with todays news is no one gets the whole story before they report so innocent people and companies pay a bigger price for bad press because there is no benefit of the doubt anymore in our country. I have a suggestion listen to Dave Ramsey before you get so far in debt you can’t get out of it. Cut up your credit cards and then you wont have to wory about people stealing your money and you getting mad at the wrong person. In your article there was nothing negative said about the people who actually breeched the system which is who you should be upset with and who should be responsible for the problem. I am sure Heartland had their ducks in a row for something like this not to happen but there are a lot of smart people out there who manage to break codes and do things like this. Be mad at the computer geeks not the people responsible for paying your bills for you.

  • Tony

    Mike, Wow! Your comments are so obtuse and thoughtless I hardly know where to begin.
    1. The article NEVER suggested that there shouldn’t be a transaction processing company like Heartland involved in… credit card transactions. And yes banks could in fact perform these transactions, but like many other industries they outsource this part of their work to companies that specialize in the process.
    2. DEBIT cards are connected directly to your bank account, usually checking. This means that you MUST have enough money in your account for a DEBIT card transaction to even be approved.
    3. Using a CREDIT card does NOT automatically translate to “I can’t afford anything at all, so I’m putting myself into debt”. Get a clue!
    — Using a credit card is mandatory for many on-line transactions.
    — It’s safer and easier than carrying around a wallet loaded fat with cash bills.
    — Many credit cards also offer consumer protection and insurance on purchases, which you don’t get with cash transactions.
    — For these reasons, I deliberately use my credit card (NOT my debit card) for every purchase, and I always pay off my credit card account before I can be charged interest.
    4. “You can’t be mad at Heartland for not knowing or maybe not releasing the info sooner.” Oh yes we can, and a LOT of people very rightfully are.
    Because Heartland deals with critical customer data, it is RESPONSIBLE FOR the security of that information. In this instance at least, they FAILED to protect our data from theft, and because their security was so lax, they let the data theft continue for MONTHS. Even when they learned about the problem, it was because someone else told them about it. And then they deliberately reported the problem on Inauguration Day when everyone’s attention would be pointed in a single direction (away from them).
    5. “there is no benefit of the doubt anymore in our country” – Phhhht! This is a pointless whine. Rampant corporate greed and corruption doesn’t exactly leave people feeling warm and fuzzy secure these days. Besides, this is what the court system is for. If/when Heartland finds itself in court for this (and it will), they are automatically given the benefit of the doubt until proven guilty.
    6. As for “The only reason I can come up with for the fact of you being upset with Heartland is that you don’t understand the situation,” you’ve provided a pretty compelling argument that you are the guilty party here.
    7. “Be mad at the computer geeks not the people responsible for paying your bills for you.” First off, Heartland doesn’t pay your bills FOR you: You do that. Second, people are upset at Heartland for valid reasons: We know there are criminals out there who steal our data and use it against us every day, so there must be protection of this data at all levels starting with the card holder. The companies who handle the data we give them – people who we TRUST with that info – need to be not only vigilant, but competent at protecting it. Heartland doesn’t appear to have been either vigilant or competent, and we SHOULD be upset at them or they’ll just keep doing a poor job.
    Anyone interested actively protecting themselves against card and check fraud should read Frank Abagnale’s “The Art of the Steal”. He is the man the movie “Catch Me If You Can” was based on, and he knows his stuff. The book is a bit outdated by now, but is fairly cheap and still has a lot of excellent useful info.

  • Right on Tony ! Mike’s comments made my blood boil, especially since I have just learned I am one of the poor suckers that had to get a new debit card. Mike you should not make assumptions about one’s wealth or ability to pay at any level. I am debt free; however, I am aware that some people have to use credit for medicine and unexpected events in life. So maybe you should ‘get a clue’ yourself. Next, I am mad at Heartland because they should have and could have handled it so much better. Yes I am upset with the thiefs but that is not my point and I gather it was not really your point either. You began by stating that people did not understand and maybe this is a good time to evaluate your understanding.

  • Jean

    Mike could use a bit more education. There are 2 kinds of cards – credit and debt, and some cards can be used as either. They all look alike but with similar, ie: not exactly the same, uses. My husband is out of town and needs to have the debit card (that’s the card where the money comes immediately out of one’s account, no ‘credit’ involved, Mike) and we found out yesterday that our card was used the day before as part of the Heartland breech months ago. Now, my husband has no access to our checking account money and MUST use the credit card (zero balance, Mike). Yes, we will have a new card – in a week – which is of no immediate help to my husband or me. This is a huge inconvenience courtesy of Heartland. Yes, I can be, and am, angry with Heartland, and for just cause.