Heartland believes itself to be innocent and will fight lawsuits

Top executives at Heartland Payment Systems provided more details on the issue of the company’s colossal data breached that heavily impacted related entities. The managers also made a statement that Heartland will fight ensuing lawsuits stemming from the incident.

According to Heartland chairman and CEO Bob Carr the malware that penetrated into the company systems could read and collect unencrypted data in motion. He also said that the hackers may have been able to ‘trade’ some portion of the data that were compromised.

"Keep in mind that Heartland passed its PCI certification last April, and assessors are currently on-site for 2009 certification, which we are targeting to begin to complete by the end of April. In that regard, throughout the potential period of the breach, Heartland did have antivirus software installed on its payment processing network," Carr said. 

Carr states that in the company’s opinion the malware was not always active on its servers.

"And [it] was probably not gathering information from 100 percent of transactions flowing through the system even when active or exporting all of the captured information to the criminals," he said. "For this reason, it is simply not possible at this time to determine accurately the number of card accounts that had information placed at risk of compromise during the breach, or to what extent any such information placed at risk was, in fact, compromised."

Carr also was speaking about the necessity to encrypt data in motion. At the moment Heartland is considering end-to-end encryption to encompass "the point of card swipe or data entry by a hardware appliance with the encrypted data flowing through all the gateways and communication links to the front-end authorization in data capture switch," he said.