Reached Wednesday, a Heartland spokesman could not say why the SEC was investigating the company.

However, the investigation may relate to stock trades made by Heartland Chairman and CEO Robert Carr after Visa notified Heartland of suspicious activity on Oct. 28, 2008. According to insider trade filings, Carr sold just under US$8 million worth of stock between Oct. 29 and the day the breach was disclosed. Heartland's stock was trading in the $15-to-$20 range for most of these transactions, but it dropped following the breach disclosure. It closed Wednesday at $5.49.

During the conference call, Carr said that his trades were part of a 10b5-1 plan initiated in August -- months before Heartland knew of any problems -- to pay off his personal debt, and that he stopped selling shares as soon as the company discovered malicious software on its systems on the night of Jan. 12. "I had no discretion regarding the terms or timing of the sales," he said.

Carr sold just over 900,000 of his 5.8 million shares before pulling the plug on the 10b5-1 plan in January, Heartland said.

It is not unusual for the FTC to investigate data breaches and use its authority to seek penalties or consumer restitution following data breaches. ChoicePoint reached a $15 million FTC in 2006 after identity thieves gained access to 163,000 consumer records in the company's database.