Wednesday, February 18, 2009

Heartland Payment Systems - Fallout Hits Alaska

It's official, the Heartland Payment Systems fallout has hit every corner of the United States (and beyond). Alaskan banks are now feeling the pinch, in what could be yet another nail in the HPS coffin. I don't like to call a ToD before the patient is cold - but this time I think it's rather obvious that HPS won't be making it through this cataclysmic event. Looking at the sheer numbers... just from Alaska:

  • Alaska USA Federal Credit Union reissued 64,000 debit cards and 6,000 credit cards to customers in Alaska and western Washington state
  • First National Bank Alaska reissued 1,150 credit cards and 7,000 debit cards
  • Credit Union 1 reissued 1,121 credit cards and 7,135 debit cards
  • Denali Alaskan Federal Credit Union reissued more than 5,000 credit and debit cards

By my count, using these rough numbers we're looking at... ~91,406 cards re-issued throughout Alaska.... so far. Let's dig deeper into the numbers... just based off this latest Alaska-based article.
  • 1 out f every 5 First National Bank, Alaska customers had their card compromised - that's actually pretty high when you consider that HPS is estimating (and I'm guessing convervatively) on the number of compromised accounts... because they obviously have no idea
  • The cost of re-issuing a card (at least at First National) is about $5/card
  • ~91, 406 x $5 = $457,030 (by conservative extension --> 100,000,000 x $5 =
Keep in mind these numbers are a conservative estimate and many banks aren't re-issuing cards unless they actually see fraud on some major portion of that population. While that may be a high-risk activity, it is clear that the banks are taking these risks because re-issuing cards is both bad for PR, and very expensive.

So as the numbers mount, and the dollar-cost of this breach piles up - you have to wonder what, if any controls could have prevented this catastrophe? If we take it as a high-probability that this wasn't just some random virus and it was indeed targeted malware... what could being PCI compliant have done to prevent this? (the answer is likely nothing). Also... what are banks, credit agencies, card processors and other financial institutions doing now that they see the consequences of a breach staring them in the face?

I wonder. Here's something interesting...

Wells Fargo Bank, Northrim and KeyBank officials wouldn't say how many cards they've reissued due to the security breach.

Unlike other banks and credit unions in Alaska, KeyBank isn't notifying customers whose card data may have been breached unless the bank notices suspicious activity on those accounts.

Instead, "We have ramped up our fraud monitoring," said Anne Foster, a regional spokeswoman for KeyBank, which has 17 branches in Alaska.

She said KeyBank will reissue cards to customers who request it, and will immediately notify customers of any suspicious charges, but the company is trying to avoid customer anxiety and extra expense to people who haven't actually been harmed. So far, there's no evidence that KeyBank customers' card data has been used fraudulently as a result of the breach, she said.

KeyBank is the primary sponsor bank for Heartland. That means that KeyBank registers Heartland with Visa and Mastercard to provide payment processing services. Heartland must have a sponsor bank in order to do business with Visa and MasterCard.

... I wonder how long that KeyBank - Heartland Payment Systems relationship will last now that HPS is going down as the largest (and arguably most expensive) data breach in history...I wonder.

More here...

1 comment:

14u2trust said...

Hello, I have found your blog while investigating Heartland Payment Services for double charging an account. Where did you find actual numbers of cards issued from AK Banks. If I find trust worthy info I will report issue on "Victims of Corrupt Organizations Reporting Scams in "Your State"." Thanks for helping others become informed.