Heartland Breach Blamed for Failed Membership Renewals
In February, Bill Oesterle began seeing nearly twice the normal number of transactions being declined for customers who had set up auto-billing on their accounts. The co-founder of Angie's List -- a service that aggregates consumer reviews of local contractors and physicians -- said he originally assumed more customers were simply having trouble making ends meet in a down economy.
But as that trend continued into March and April, the company shifted its suspicions to another probable culprit: credit card processing giant Heartland Payment Systems.
The data breach last year at Heartland -- a company that processes roughly 100 million card transactions a month for more than 175,000 businesses, has forced at least 600 banks to re-issue untold thousands of new cards in a bid to stave off fraud.
For consumers, receiving a new credit or debit card number means contacting companies that have those credentials on file to charge for monthly or periodic bill payments. Less well understood, however, is the economic impact that large scale processor breaches and the inevitable waves of re-issues by banks may have on companies when customers simply fail to reset that automatic billing when they receive a new card number.
The Heartland breach happened late in 2008 and was quietly announced in late January. Since then, Oesterle said, Angie's List has seen an increase of two to four percentage points in the rejection of auto-billed payments.
"We estimate that we're seeing an impact of perhaps as much as $1 million in revenue as a result of the increased turnover in card turnover," Oesterle said.
Oesterle said the possibility of the Heartland breach as the source of the increased turnover became clear at a recent staff meeting, when he discovered that three out of four of the people around the table had recently been re-issued new credit cards by their banks, which had attributed the action to the Heartland breach.
"So we started doing some random sampling, and took a look at people [whose cards were] being declined, and started contacting them," Oesterle said. "Most of the people we contacted said they were happy with the service, but had had their credit card re-issued by their bank as a result of the Heartland breach."
The trouble is that convincing customers who had once set up auto-billing to reestablish that relationship after such a disruption is tricky, as many people simply don't respond well to companies phoning or e-mailing them asking for credit card information, Oesterle said.
"We have processes in place to track these rejections that allow us to go back to members, asking for updated information, but we generally accept that some rejected auto-bills will never be recouped," he said. "We'll work hard to re-capture those members, but it will cost us additional resources to do so - and some will be lost."
Avivah Litan, a fraud analyst with Gartner Inc., said no doubt much of the attrition companies like Angie's List are seeing is in fact due to cards being re-issued by banks in response to the Heartland breach. But she said Heartland is likely also being wrongly blamed as the source of cards compromised in other -- less publicized -- data breaches that happened at the same time.
"There are some big numbers being bandied around about how many cards were breached because of Heartland, but Heartland wasn't the only company breached during this time," Litan said.
Litan said information about just how many compromised cards that banks are attributing to the Heartland breach will be clearer within the next week: Banks affected by the breach have until May 19 to file their fraud claims with Visa.
So far, Heartland has spent more than $12.6 million responding to the breach. More than half of that is due to fines MasterCard levied against Heartland's sponsor banks, which then passed the fines on to Heartland.
Oesterle also is a board member for the National Bank of Indianapolis, which is no doubt seeking its own pound of flesh from Heartland: He said the institution has so far re-issued at least 5,000 credit and debit cards to customers because of the Heartland breach.
Update, 3:18 p.m. ET: Changed wording in the last sentence from "whose account information was compromised" to "because of," a clarification requested by Oesterle.
May 14, 2009; 11:40 AM ET
Categories: Economy Watch , Fraud | Tags: angie's list, bill osterle, heartland breach
Save & Share: Previous: Adobe, Apple and Microsoft Issue Security Updates
Next: MyIDscore.com Offers Free ID Theft Risk Score
Posted by: fastoy | May 14, 2009 1:49 PM | Report abuse
Posted by: M_J_P | May 14, 2009 3:21 PM | Report abuse
Posted by: jongrantham | May 15, 2009 4:49 PM | Report abuse
Posted by: LysaMyers | May 19, 2009 7:15 PM | Report abuse
The comments to this entry are closed.