Superconductor

The big data breach at Heartland Payment Systems was announced two days ago, and Heartland quickly set up a web site to announce the breach. Here's the headline from the web site:

Heartland Payment Systems Uncovers
Malicious Software In Its Processing System

No merchant information or cardholder Social Security numbers compromised.

If you read further, you find this:

No merchant data or cardholder Social Security numbers, unencrypted personal identification numbers (PIN), addresses or telephone numbers were involved in the breach. Nor were any of Heartland's check management systems; Canadian, payroll, campus solutions or micropayments operations; Give Something Back Network; or the recently acquired Network Services and Chockstone processing platforms.

That certainly doesn't look too bad, does it? What they don't include in the list of information that wasn't compromised is customer's credit card numbers. So it certainly looks like credit card numbers were what the hackers were after and were also what the hackers got. Why not be clearer about this? Why not replace the headline on the we site with this one?

Heartland Payment Systems Uncovers
Malicious Software In Its Processing System

Millions of credit card numbers compromised.

The truth is going to come out eventually. Probably very soon. If credit card numbers were compromised, why not just admit it? Hoping that people won't read your announcement too carefully probably isn't the best way to deal with a data breach.