Network News

X My Profile
View More Activity

Heartland Breach Blamed for Failed Membership Renewals

In February, Bill Oesterle began seeing nearly twice the normal number of transactions being declined for customers who had set up auto-billing on their accounts. The co-founder of Angie's List -- a service that aggregates consumer reviews of local contractors and physicians -- said he originally assumed more customers were simply having trouble making ends meet in a down economy.

But as that trend continued into March and April, the company shifted its suspicions to another probable culprit: credit card processing giant Heartland Payment Systems.

The data breach last year at Heartland -- a company that processes roughly 100 million card transactions a month for more than 175,000 businesses, has forced at least 600 banks to re-issue untold thousands of new cards in a bid to stave off fraud.

For consumers, receiving a new credit or debit card number means contacting companies that have those credentials on file to charge for monthly or periodic bill payments. Less well understood, however, is the economic impact that large scale processor breaches and the inevitable waves of re-issues by banks may have on companies when customers simply fail to reset that automatic billing when they receive a new card number.

The Heartland breach happened late in 2008 and was quietly announced in late January. Since then, Oesterle said, Angie's List has seen an increase of two to four percentage points in the rejection of auto-billed payments.

"We estimate that we're seeing an impact of perhaps as much as $1 million in revenue as a result of the increased turnover in card turnover," Oesterle said.

Oesterle said the possibility of the Heartland breach as the source of the increased turnover became clear at a recent staff meeting, when he discovered that three out of four of the people around the table had recently been re-issued new credit cards by their banks, which had attributed the action to the Heartland breach.

"So we started doing some random sampling, and took a look at people [whose cards were] being declined, and started contacting them," Oesterle said. "Most of the people we contacted said they were happy with the service, but had had their credit card re-issued by their bank as a result of the Heartland breach."

The trouble is that convincing customers who had once set up auto-billing to reestablish that relationship after such a disruption is tricky, as many people simply don't respond well to companies phoning or e-mailing them asking for credit card information, Oesterle said.

"We have processes in place to track these rejections that allow us to go back to members, asking for updated information, but we generally accept that some rejected auto-bills will never be recouped," he said. "We'll work hard to re-capture those members, but it will cost us additional resources to do so - and some will be lost."

Avivah Litan, a fraud analyst with Gartner Inc., said no doubt much of the attrition companies like Angie's List are seeing is in fact due to cards being re-issued by banks in response to the Heartland breach. But she said Heartland is likely also being wrongly blamed as the source of cards compromised in other -- less publicized -- data breaches that happened at the same time.

"There are some big numbers being bandied around about how many cards were breached because of Heartland, but Heartland wasn't the only company breached during this time," Litan said.

Litan said information about just how many compromised cards that banks are attributing to the Heartland breach will be clearer within the next week: Banks affected by the breach have until May 19 to file their fraud claims with Visa.

So far, Heartland has spent more than $12.6 million responding to the breach. More than half of that is due to fines MasterCard levied against Heartland's sponsor banks, which then passed the fines on to Heartland.

Oesterle also is a board member for the National Bank of Indianapolis, which is no doubt seeking its own pound of flesh from Heartland: He said the institution has so far re-issued at least 5,000 credit and debit cards to customers because of the Heartland breach.

Update, 3:18 p.m. ET: Changed wording in the last sentence from "whose account information was compromised" to "because of," a clarification requested by Oesterle.

By Brian Krebs  |  May 14, 2009; 11:40 AM ET
Categories:  Economy Watch , Fraud  | Tags: angie's list, bill osterle, heartland breach  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Adobe, Apple and Microsoft Issue Security Updates
Next: MyIDscore.com Offers Free ID Theft Risk Score

Comments

Go look at http://www.2008breach.com/. In this Heartland says:

"That means you can continue to do business — or start doing business — with Heartland despite our temporary removal from the list.

"If a card brand attempts to fine you solely because you process with Heartland, Heartland will defend you against the card brand's claim to collect the fine."

I read this that Heartland has not corrected their problems (at least at the time of that posting March 23, 2009) and if the merchants suffered a fine as a result of using Heartland that Heartland would pay that fine.

BANKS WAKE UP. QUIT ACCEPTING HEARTLAND.

Posted by: fastoy | May 14, 2009 1:49 PM | Report abuse

Don't forget the impact to charities - they seem to be very big users of auto-billing arrangements.

I confess I used a card reissue as a simple way to sever an auto-paid interest group membership. Easier than navigating the typical service termination request maze.

Posted by: M_J_P | May 14, 2009 3:21 PM | Report abuse

As M_J_P indicates, this may be a feature, not a bug. If consumers don't care enough to update their credit card information, they're probably getting billed for stuff they don't use any more. Hopefully they'll spend the lost revenue on something more productive for them.

Posted by: jongrantham | May 15, 2009 4:49 PM | Report abuse

In this economy, anything which hurts business more than usual is unquestionably a bad thing. That being said, I certainly hope businesses who've been affected take this to heart - a security breach on any of us hurts all of us. We do not live in a disconnected world anymore, we live in a world where borders cross constantly. Malware preys on anyone who has poor security, and it's profitable directly because of its egalitarian nature. The more we protect ourselves, the less profitable it is to create and use malware, so the more protected our neighbors will be.

Posted by: LysaMyers | May 19, 2009 7:15 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company