IMGCAP(1)]
Fallout from the breach of unencrypted card data Heartland Payment Systems Inc. announced in January will pose the biggest challenge for the merchant processor in 2009, Heartland executives acknowledged this morning. During a conference call with analysts to discuss Heartland's fourth-quarter earnings, Chairman and CEO Robert Carr noted that several lawsuits have been filed against the company, and he expects more to follow. The processor also is the subject of several governmental investigations and inquiries, including an new formal inquiry by the U.S. Securities and Exchange Commission, a related investigation by the Department of Justice, and inquiries by the Office of the Comptroller of the Currency and the Federal Trade Commission, Carr said. "We intend to vigorously defend any claims asserted against us, and we believe we have meritorious defenses to the claims asserted against us to date," he said. It is too early to guess what the breach-related losses will cost Heartland this year, Robert Baldwin, Heartland president and chief financial officer, said during the call. Though Heartland expects breach-related costs to be "material," the processor has the ability to absorb significant costs, Baldwin added. Heartland's competitors will continue to use news of the breach to try to poach its merchant customers, "and some will succeed," Carr said. Even so, he called Heartland's sales performance since the breach encouraging. "Since Jan. 20 (when Heartland announced the breach) we have installed slightly more margin than in the same period last year, and our merchant attrition has actually be a hair better than in the same period of 2008," he said. Despite analyst questions seeking more detail, neither Baldwin nor Carr revealed significant new information or an estimate of how many cards might have been compromised. Investigators have been unable to determine how long malicious software was on Heartland's server, though they believe it ceased being active during 2008, Carr said. "It seems clear that the malware was not active at all times during those periods and was probably not capturing information from 100% of transactions flowing through the system, even when active or exporting all the captured information to the criminals," Carr added. "For this reason, it is simply not possible at this time to determine accurately the number of card accounts that had information placed at risk or compromised during the breach, or to what extent any such information placed at risk was in fact compromised."
