Heartland Payment Systems has reached a settlement with American Express, paying the credit card brand $3.6 million for expenses it incurred as a result of Heartland's massive data security breach.
In a statement, Heartland CEO Bob Carr said the settlement with American Express would "resolve all intrusion-related issues between the two parties."
"We are pleased to have reached an equitable settlement with American Express," Carr said.
In January, Heartland disclosed a massive security breach of more than 130 million credit and debit card numbers. Since then, the payment processor has been working to settle the repercussions, absorbing expenses for technology upgrades as well as costs incurred by financial institutions for replacing millions of consumer credit cards. The payments processor is also battling a number of lawsuits accusing it of negligence.
Heartland's systems were breached last year when hackers installed malware to sniff data crossing the company's network. The breach took place, despite the processor being compliant with the Payment Card Industry Data Security Standards. Visa dropped Heartland from its list of PCI compliant vendors in March. The firm regained its compliance status in May.
A number of arrests have been made in connection with the breach. The U.S. Department of Justice charged Albert Gonzalez and two Russian hackers for their role in a spate of breaches, including intrusions at 7-Eleven Inc. and Hannaford Brothers Co supermarkets.
The men were believed to have started devising a plan to penetrate the networks beginning in 2006. SQL injection attacks were believed to be carried out by gaining access through vulnerabilities in point-of-sale systems and then installing a packet sniffer to read network traffic for the account data.
In addition, Heartland has paid fines to Visa Inc. and MasterCard for the intrusion. In a conference call to investors in May, Heartland CEO Bob Carr said the company took a loss in the first quarter as a result of the breach related expenses. About $1 million was paid to Visa. The Princeton, N.J.-based firm said it spent $12.6 million related to the breach at the time.