MAPCO Express Sued Over Malware Attack

Data breach leads to three class action lawsuits seeking unspecified damages.

July 10, 2013

PRINCETON, NJ – Three class action lawsuits have been filed against MAPCO Express following a malware attack that exposed private customer information, BankSecurityInfo.com reports. The suits seek unspecified damages.

The attack may have compromised data at all of its 377 convenience stores that connect to its corporate network. The attacks occurred between March 14 and April 21.

One suit alleges losses of as much as $5 million, though it’s a figure that industry experts say is hard to pinpoint.

A similar suit was filed in April against Schnucks Markets Inc. following a malware attack that involved as many at 500,000 cards. While some media reports cited an $80 million loss estimate, Schnucks spokesperson Lori Willis disputed that figure.

"In the past, you may have seen me speak to the $80 million estimate," Willis said. "The number was pulled from figures in our filing that were based on the plaintiffs' lawyer's estimates. We believe that the entire suit is without merit. We have offered no damage estimates."

However, Avivah Litan, a financial fraud expert and analyst for consultancy Gartner, said the $80 million figure could be a good estimate, depending on the number of cards actually compromised. 

"Something like 10% of breached cards are actually used for fraudulent transactions after they are compromised," she said. "And the average amount of loss just for the fraud is about $700 per card." 

Two of the MAPCO lawsuit plaintiffs claim fraudulent transactions resulted from the compromise. And all three suits allege MAPCO and its parent, Delek US Holdings, failed to adequately protect customer data and provide notice of the breach in a timely manner.

"The defendant had a duty to timely disclose the data compromise to all customers whose credit and debit card information and other nonpublic information was, or was reasonably believed to have been, accessed by unauthorized persons," one of the filings claims. "Class members were harmed by [the] defendant's delay because, among other things, fraudulent charges have been made to class members' accounts."

On May 6, MAPCO issued a statement acknowledging a network breach.

"Upon discovering the issue, MAPCO took immediate steps to investigate the incident and further strengthened the security of its payment card processing systems to block future information security attacks," the company explained in its FAQ. 

In a July 8 statement provided to Information Security Media Group, MAPCO said its internal investigation is complete.

"While no system is impervious to determined criminal hackers, we are confident that we have appropriate systems in place to guard against data theft," MAPCO stated. "We will continue to be vigilant about our security measures going forward and want to reassure customers that we value their business and will continue to act responsibly with the trust they place in us in the course of everyday business."

NACS is following the case closely and issued a stiff rebuke to news of the lawsuits.

“MAPCO was also a victim of this crime, so the response is to sue the victim?” asked Lyle Beckwith, NACS senior vice president of government relations, incredulously.

“The fact that the payment system MAPCO is forced to use in order to stay in business is so flawed that it is almost impossible to protect with commercially reasonable efforts should be the real focus here. Instead of taking aim at the victims of a flawed payment system, the Trial Bar should be focusing on those who constructed such a faulty product in the first place — the card brands.” 

Beckwith continued: “It is a fact that if PIN was required on all transactions, the card data stolen from MAPCO would be effectively useless and this theft would have never happened in the first place, but the card brands steadfastly refuse to do what is right to protect consumer data. Instead, we have a monopoly card payment system without any real external controls or accountability, transferring liability to other stakeholders and effectively being sheltered from any social responsibility for product safety. If the card brands were any other manufacturer, they would be forced to recall all these faulty cards and fix the problem.”

Advertisement
Advertisement
Advertisement