PRINCETON, NJ – Three class action lawsuits have been filed
against MAPCO Express following a malware
attack that exposed private customer information, BankSecurityInfo.com
reports. The suits seek unspecified damages.
The attack may have compromised data at all of its 377
convenience stores that connect to its corporate network. The attacks occurred
between March 14 and April 21.
One suit alleges losses of as much as $5 million, though
it’s a figure that industry experts say is hard to pinpoint.
A similar suit was filed in April against Schnucks Markets
Inc. following a malware attack that involved as many at 500,000 cards. While
some media reports cited an $80 million loss estimate, Schnucks spokesperson
Lori Willis disputed that figure.
"In the past, you may have seen me speak to the $80
million estimate," Willis said. "The number was pulled from figures
in our filing that were based on the plaintiffs' lawyer's estimates. We believe
that the entire suit is without merit. We have offered no damage
estimates."
However, Avivah
Litan, a financial fraud expert and analyst for consultancy Gartner, said
the $80 million figure could be a good estimate, depending on the number of
cards actually compromised.
"Something like 10% of breached cards are actually used
for fraudulent transactions after they are compromised," she said.
"And the average amount of loss just for the fraud is about $700 per
card."
Two of the MAPCO lawsuit plaintiffs claim fraudulent
transactions resulted from the compromise. And all three suits allege MAPCO and
its parent, Delek US Holdings, failed to adequately protect customer data and
provide notice of the breach in a timely manner.
"The defendant had a duty to timely disclose the data
compromise to all customers whose credit and debit card information and other
nonpublic information was, or was reasonably believed to have been, accessed by
unauthorized persons," one of the filings claims. "Class members were
harmed by [the] defendant's delay because, among other things, fraudulent
charges have been made to class members' accounts."
On May 6, MAPCO
issued a statement acknowledging a network breach.
"Upon discovering the issue, MAPCO took immediate steps
to investigate the incident and further strengthened the security of its
payment card processing systems to block future information security
attacks," the company explained in its FAQ.
In a July 8 statement provided to Information Security Media
Group, MAPCO said its internal investigation is complete.
"While no system is impervious to determined criminal
hackers, we are confident that we have appropriate systems in place to guard
against data theft," MAPCO stated. "We will continue to be vigilant
about our security measures going forward and want to reassure customers that
we value their business and will continue to act responsibly with the trust
they place in us in the course of everyday business."
NACS is following the case closely and issued a stiff rebuke
to news of the lawsuits.
“MAPCO was also a victim of this crime, so the response is
to sue the victim?” asked Lyle Beckwith, NACS senior vice president of
government relations, incredulously.
“The fact that the payment system MAPCO is forced to use in
order to stay in business is so flawed that it is almost impossible to protect
with commercially reasonable efforts should be the real focus here. Instead of
taking aim at the victims of a flawed payment system, the Trial Bar should be
focusing on those who constructed such a faulty product in the first place —
the card brands.”
Beckwith continued: “It is a fact that if PIN was required
on all transactions, the card data stolen from MAPCO would be effectively
useless and this theft would have never happened in the first place, but the
card brands steadfastly refuse to do what is right to protect consumer
data. Instead, we have a monopoly card payment system without any real
external controls or accountability, transferring liability to other
stakeholders and effectively being sheltered from any social responsibility for
product safety. If the card brands were any other manufacturer, they would
be forced to recall all these faulty cards and fix the problem.”