The company's announcement of the breach came (probably not by accident) while the focus of the nation was on the inauguration, hundreds of millions of citizens with their eyes on Washington, unaware that a sizeable per centage of them may have had their credit card numbers grabbed by cyber crooks.
Heartland is that big, handling 100 million transactions a month for a quarter million businesses.
Heartland was quick to point out that there's no evidence of social security, address or phone number, or merchant data was compromised. Few other details have been forthcoming.
This one is big for small and midsize businesses for a couple of reasons.
For one, you count on processors to handle transactions for you and your customers, and one of the things you count on is absolute security. This wasn't a bonehead unsecured network breach like the TJX (TJMaxx) leak awhile back. This was a keystroke logger inside Heartland's network. How did it get in there and how long did it log before discovery?
For another, Heartland's handling of the announcement lives up to all the bad moves big companies make when they screw up: no banner or information-pointer on the company's homepage. You have to dig into the investor relations page, then go to press releases, then call up the announcement.
(You can lose some time looking: I came across a "Letter From CEO" [sic] but it was a recruitment pitch.)
In fact, the most prominent item on the home page is an announcement that Heartland is changing it's look... and the future of payments. Ya think?
These things always sprawl and there are always more revelations that should have been made public on page one on day one. The comment in the company's announcement that "Heartland believes the intrusion is contained." is hardly reassuring.
So watch this space for future developments and revelations.
I for one am going to be very interested in the explanation of a just how a keylogger got inside Heartland's network in the first place.