HOUSTON (CN) – A debit and credit card processor will face just one claim from financial institutions suing over a massive security breach that affected millions of consumers, a federal judge ruled, dismissing nine other counts against Heartland Payment Systems.
Three hackers infiltrated Heartland’s computers in December 2007 and stole 130 million debit and credit card numbers. Heartland was one of five companies that suffered such breaches from the trio of hackers, according to a 2009 indictment filed in the District of New Jersey.
The theft led numerous parties to complain of Heartland’s failure to adhere to industry security standards in providing payment-card processing services. The civil complaints that followed were consolidated in the Southern District of Texas and divided into two tracks of litigation: consumer complaints and financial institution complaints.
U.S. District Judge Lee Rosenthal dismissed all but one of the 10 causes of action from the master complaint filed as a class action by nine banks. Those banks had issued credit to consumers affected by the computer-system breach.
Rosenthal granted the banks leave to amend the dismissed claims for breach of contract, breach of implied contract, express misrepresentation, negligent misrepresentation based on nondisclosure, and violations of the California Unfair Competition Law, the Colorado Consumer Protection Act, the Illinois Consumer Fraud and Deceptive Business Practices Act and the Texas Deceptive Trade Practices-Consumer Protection Act.
Heartland failed only in its bid to dismiss the claim that it violated the Florida Deceptive and Unfair Trade Practices Act. The processor had argued that the act applies only to consumers, not banks, but the Florida Legislature substituted “person” for “consumer” when it amended the act in 2001.
Rosenthal disagreed last week, though she admitted, “The question is a close one.”
One of the hackers, an American named Albert Gonzalez, is serving 20 years in prison after pleading guilty to two charges for the Heartland breach and related crimes. Upon his release, the seasoned hacker is prohibited from using a computer. The original indictment said Gonzalez worked with two hackers who “resided in or near Russia.” In a related case against Gonzalez, the hacker was indicted along with Maksym Yastremskiy, of Kharkov, Ukraine, and Aleksandr Suvorov, of Sillamae, Estonia.