The turbulent economy and the fallout from a data breach pushed Heartland Payment Systems Inc. into the red in the first quarter.
The Princeton, N.J., processor reported a loss of $2.5 million Thursday, compared with net income of $8.9 million for the same quarter last year.
Heartland announced in January that hackers breached its network last year and captured the credit and debit card numbers and expiration dates of an undisclosed number of cards.
"We seem to be at the vortex of an economy that has been derailed, the dawning of an age of escalating cybercrime and possibly some fundamental changes in consumer behavior that could be changing the nature of personal consumption," said Robert Carr, Heartland's chairman and chief executive, in a conference call with analysts to discuss the results Thursday.
The processor identified the source of the breach as a "sniffer" program that made it past the company's antivirus software. Sniffer programs are used to analyze network data and deliver it to fraudsters.
"It is not unexpected" that the breach "would have an effect on everything from sales, attrition, expenses and legal," said Robert Dodd, an analyst at Regions Financial Corp.'s Morgan Keegan & Co. Inc. "Across the board, it affects things."
Heartland reported $12.6 million of first-quarter expenses and accruals attributable to the processing system intrusion. A fine imposed by MasterCard Inc., which said the processor had not taken appropriate action after learning that its systems may have been breached, accounted for about half of those expenses, Carr said. Less than $1 million was related to fines assessed by Visa against Heartlands sponsor banks.
Since disclosing the breach, Heartland has been the subject of at least four class actions. Two lawsuits in New Jersey and one in Florida, all filed in January, allege that the processor failed to protect consumer card data and to notify affected cardholders of the breach in a timely manner.
The fourth suit, filed by the Bala Cynwyd, Pa., law firm Brodsky & Smith LLC, alleges that the processor violated federal securities laws by issuing a series of statements that "artificially" inflated the price of Heartland's shares.
In March, Visa Inc. removed Heartland from its list of service providers compliant with the Payment Card Industry data security standard; the company was reinstated on the list last week.
However, being dropped from the roster of PCI-compliant companies likely prompted some concern from clients about the safety of continuing to do business with the firm.
Heartland said the number of new merchant clients fell 9.7% from a year earlier. Dodd said the drop was "surprising" and likely a result of both the poor economy and the breach. This was the first time Heartland's new contracts have declined, he said.
Because Heartland was not on Visa's compliant-vendor list through April, it is likely the processor's second-quarter results will continue to show adverse effects from the breach. "The impact will moderate in the second quarter, but it will not go away," Dodd said.
Adil Moussa, an analyst at Aite Group LLC, predicted that Heartland would rebound "a little" in future quarters. However, "there may still be more hard times to come for Heartland, depending on how much they have to settle with different issuers and the different lawsuits brought against them," he said.
Heartland's revenue increased 23.4%, to $98.5 million. The value of transactions it processed grew 17.4%, to $15.5 billion, mainly because of new merchant clients in the service station segment and modest growth in small and midsize merchant volume.
