In the bleariness of the morning off-to-work routine, the news of the breach of information about hundreds of millions of debit cards was accompanied by an analysis that said the intruder’s software was light years ahead of that of Heartland Payment Systems.

.

At least that’s what it sounded like at 6:45 a.m. or so on New Jersey Network News, which was announcing what is being termed yesterday the largest data breach in which the electronic thieves made off with the data from Heartland Payment Systems, which provides credit and debit-card processing serves on a large scale. An estimated 250,000 business accounts were afflicted.

.

As things developed, that might have been vastly overstated.

.

Maybe it’s just that even the Internet services hadn’t caught up with the analysis that early in the day. But the mere thought that the crooks have far more advanced technology systems than a major financial company doesn’t provide a lot of comfort in a time in which financial institutions are fragile.


.

While the details unroll, it’s a good time to consider that information technology security was No. 1 on the list of Top Ten Technologies for 2009, as selected by the American Institute of CPAs.

.

The problem was identified as malware that had been in Heartland’s systems, possibly for months, and the company issued a statement that it was possibly the result of intruders involved in cyber-fraud on a global scale.


.

Of course, most accounting firms don’t have the kind of information that these thieves want: credit card numbers are very saleable. The same probably can’t be said for a few hundred small business tax returns or financial statements. These are most likely to be affected by internal factors, such as deleting the wrong file, or more rarely, a partner who takes off with client contact information to set up another business.


.

No, the real lesson of Heartland is the need for vigilance. And as the day wore on, the company announced that merchant and customer data had not been affected and that there was no theft of client information such as Social Security, telephone or personal identification numbers. At least one Kentucky bank canceled a few thousand debit cards, and was issuing new ones to customers. But it said no fraudulent activity had been detected.


.

Whether the story is as bleak as first reported or as minimal as Heartland’s later statement, there’s no doubt that the AICPA members who selected the major issues had a very good idea of what they were doing.

Register or login for access to this item and much more

All Accounting Today content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access