We spend a lot of space on our blogs talking about the hard and soft costs of data breaches. PGP Corporation also sponsors the annual Ponemon surveys of this topic. I don't tend to focus on it in my blog because I find the crimes that cause breaches so interesting, but last week I saw some new numbers that are truly startling. Heartland Payment Systems released their Q1 earnings report. According to this story at Forbes.com, Heartland has so far spent $12.6 million to remediate the breach they experienced in December. The expenses associated with the breach caused Heartland to report a net loss for the quarter.
This would appear, however, to be just the start of what it will cost Heartland to remediate the breach and deal with the fallout from their customers and investors. The day Heartland announced the breach (January 20), their stock had closed at $14. 24 hours later it closed just above $8 per share; a decline of 42% that wiped out more than $200 million in shareholder value and generated the nearly vertical line in the middle of the chart below. As the chart also shows, Heartland's stock has regained none of the ground it lost on that fateful day.
HYP Stock Chart
Little wonder that the company is now the subject of a number of class action lawsuits asserting the company must compensate investors. You can read about a few of these suits here, here, and here. Beyond these suits, however, Heartland's former customers are lining up to sue to recoup costs they've incurred notifying customers and reissuing new credit cards. So far only eight customers have brought suit, but as Heartland claims to serve more than 500 banks and other institutions, this is likely just the first of many such suits to follow. On top of dealing with a growing number of lawsuits, Heartland's CEO is now under investigation by the SEC which is looking into the circumstances surrounding a series of stock sales in late 2008.
One last consequence of the Heartland breach is the effect it's having on the vendors with whom the consumers that have had to transition to new credit cards issued by their banks. As anyone that's ever lost a credit card knows, when you get a new card you have to inform all of the services that charge that card periodically for things like newspapers, online subscription, or even just cable/satellite service. So now we have a situation in which tens of thousands of consumers have been issued new cards need to contact all of those vendors or have the attempts to bill the old credit cards rejected. A very good story about how this affecting one online business appeared in today's Washington Post.
About the only good news the company's received recently is their reinstatement to Visa's list of PCI DSS approved payment processing vendors. However, as my colleague Brian Tokuyoshi so eloquently points out in his recent posting, compliance does not guarantee security and if any incident has ever proved that point, surely the Heartland breach does.