Scienter was also lacking because there were no allegations Heartland knew or had reason to know its security was so deficient that it was false to say it put a significant emphasis on security.
The plaintiffs alleged that several confidential informants who had worked for Heartland thought it had not done enough to deal with the SQL attack but Thompson termed their criticism "after-the-fact speculation by a handful of lower-level employees."
Heartland's lawyer, Seth Lapidus, of Blank Rome in Princeton, says his client was a "victim of a sophisticated crime designed to be concealed and not be found by the company and its auditors" and "to be sued for not detecting it, adds insult to injury."
The plaintiffs "had a series of confidential informants who appeared to be disgruntled former employees all of whom were speculating about what could have happened but had nothing to say about what did happen," he adds.
Lead plaintiffs' counsel Paul Geller and Douglas Wilens, both of Coughlin Stoia Geller Rudman & Robbins in Boca Raton, Fla., did not return a call for comment, nor did local counsel Peter Pearlman, of Cohn, Lifland, Pearlman, Herrmann & Knopf, in Saddle Brook, N.J.
Jay Foley, executive director of the Identity Theft Resource Center based in San Diego, thinks Heartland should have done more to protect the data it handles. "I run a small nonprofit and my IT guy is constantly checking the logs for attacks against my servers," he says. "Why didn't they?"
Heartland is still defending lawsuits by consumers who fear misuse of their stolen information and credit card issuers who claim they incurred large costs to cancel and reissue the cards whose numbers were compromised.
Several such cases, filed in New Jersey, have been transferred by the Multi-District Litigation Panel to the Southern District of Texas for consolidation with similar actions.
Heartland tried to have the securities litigation transferred to Texas too but the MDL panel denied the request.
Albert Gonzalez, of Miami, was indicted in New Jersey on Aug. 17, for allegedly conspiring with two unidentified others in the cyber-heist. He also faces similar charges in the Eastern District of New York and the District of Massachusetts.
Gonzalez is accused of stealing data from five corporate victims: Heartland, 7-Eleven, Hannaford Brothers and two other companies described only as "major national retailers." He and his conspirators allegedly identified vulnerabilities and potential targets by scanning Fortune 500 lists, exploring corporate Web sites and visiting retail locations to see what kind of check-out machines were in use. They would then launch SQL attacks that inserted malware designed to locate account information and copy it onto their own servers, according to the indictment. They also allegedly employed "sniffers" to intercept data as it was being processed.
The case, U.S. v. Gonzalez, 09-CR-626, was transferred Tuesday from New Jersey to a federal court in Massachusetts, where Gonzalez is in custody.