Heartland says malware breach cost $12.6 million

The data breach at Heartland Payment Systems cost the company a whopping $12.6 million in legal costs and fines from Mastercard and Visa.

The data breach at Heartland Payment Systems cost the company a whopping $12.6 million in legal costs and fines from Mastercard and Visa.

Heartland, a publicly traded company that provides bank card payment processing services to merchants in the U.S., made the disclosure less than four months after confirming a malware intrusion that compromised data that crossed its network.

[ SEE: Heartland finds malware in bank card payment system ]

On a conference call with investors yesterday (see transcript), Heartland CEO Robert Carr explained the financial damage from the breach:

This quarter we have taken a $12.6 million charge in expenses and accruals attributable to the processing system intrusion announced in the first quarter. The smaller part of these intrusion related expenses represents legal and other expenses related to the intrusion and less then $1 million related to fines assessed by Visa against our sponsor banks, which fines our sponsor banks are contesting.

More then 50% of this expense however relates to a fine that MasterCard assessed against our sponsor banks ostensibly because of an alleged failure by Heartland to take appropriate action upon having learned that its computer system may have been breached and upon thereafter having discovered the intrusion.

[ SEE: It's a good day to disclose the largest credit card data breach ever ]

Carr said the company is challenging the MasterCard fine:

Heartland therefore considers the MasterCard fine to be in direct violation of both the MasterCard rules and applicable law and it intends and is prepared to vigorously contest and it has recommended to its sponsor banks that they vigorously contest, through all means available including litigation if necessary any liability that may be asserted or imposed upon Heartland or its sponsor banks by reason of this fine.

Following the breach, Carr said Heartland is on schedule to introduce a fully encrypted end-to-end terminal solution in the third quarter.

* Hat tip: Dan Goodin/The Register.