Leadership

What Happens If Your Customers' Credit Card Data is Hacked

By Peter Galuszka

Updated on: January 26, 2009 / 4:37 PM EST / MoneyWatch

Let's say you are the CEO of a company and you just learn that the firm that handles your sales by credit cards has been hacked and the confidential financial information of thousands of your customers has been stolen.

What are you in for? A pretty hard time, L. Richard Fischer, a lawyer and fraud expert with the Washington law firm of Morrison & Foerster, told me.

"First, expect the Federal Trade Commission and a number of attorneys general from various states to contact you. Your budget is going to have to increase because you are going to have to help pay to notify the customers of the problem.

"Next, expect lawsuits from banks and credit card firms that have to close down accounts and eat the losses.

"And, you might have to face class action lawsuits," he said.

The issue has gained currency because last week, New Jersey-based Heartland Payment Systems, which processes payroll and credit card payments for more than 250,000 businesses, reported that its credit card data was breached in what could be the largest such fraud ever.

Although it isn't known how many cards were exposed, the firm handles 100 million transactions a month. What happened, Fischer explained, is that technically-savvy hackers somehow slipped Malware into the firm's software system which stole data and sent it back to the perpetrators.

Many of the businesses affected were small and middle-sized ones such as restaurants from across the country, Fischer said.

It was the latest case of major card data hacking. In 2007, TJX Companies announced that it had been hacked and more than 40 million credit and debit card accounts involving such major retailers as Barnes & Noble, OfficeMax, BJ's Wholesale Club and Boston Market, had been broken into. Eleven people have been charged, including three U.S. citizens and others from Estonia, Ukraine, Belarus and the People's Republic of China.
Fischer says that the TJX case brought 20 class action lawsuits. So far, two have been filed against Heartland.

Another problem managers will have to face is an increase of perhaps 25 percent in IT costs involving data security. Some of that may have to go for higher levels of encryption. At the minimum, managers will have to periodically review their point-of-sale security. "The criminals are getting more and more sophisticated," Fischer said.