Four credit unions and the Michigan Credit Union League have filed class-action suits against fast food giant Arby’s Restaurant Group, which recently acknowledged a potential data security incident.
The complaints allege that malware on the Arby’s point-of-sale system network allowed hackers to steal data on customer payment cards between Oct. 25, 2016, and Jan. 19, 2017. Track 1 and Track 2 data, which normally includes cardholder names, primary account numbers, expiration dates and sometimes PIN numbers, were compromised, they allege.
The Fort Wayne, Ind.-based Midwest America Federal Credit Union, which has $549 million in assets and about 56,000 members, filed its complaint on Feb. 10, followed by the Huntsville, Ala.-based North Alabama Educators Credit Union; the Saginaw, Mich.-based Wanigas Credit Union and the New Castle, Penn.-based First Choice Federal Credit Union. Gulf Coast Bank & Trust Company, which is headquartered in New Orleans, was also party to the complaints. North Alabama Educators has $89 million in assets and about 10,000 members, Wanigas has $326 million in assets and about 26,000 members, and First Choice has $44 million in assets and about 6,500 members.
“Industry sources estimate that the fraudulent charges associated with this breach at Arby’s have been more concentrated than in other recent data breaches (e.g., Target, Home Depot and Wendy’s), causing plaintiff and other members of the class to suffer much greater losses,” the Midwest America complaint said.
The complaints allege that the breach resulted in the credit unions and thousands of others incurring costs to cancel and reissue cards, change or close accounts, notify members that their cards were compromised, investigate claims of fraudulent activity, refund fraudulent charges and increase fraud monitoring activities. Card issuers also lost interest and transaction fees due to reduced card usage, and the issuer’s debit and credit cards, as well as the account numbers on those cards, lost value, they claimed.
“The number of [Compromised Account Management System] CAMS and [Account Data Compromise Alerts] ADC alerts received by many financial institutions have been among the largest (meaning most cards compromised) CAMS or ADC alerts they have ever received for a single event,” Midwest America alleged in its complaint. The credit unions said they received alerts around the week of Feb. 5.
“Indeed, the fact that cardholder data was left exposed for close to three months and the fact that defendant continuously failed to detect this vulnerability demonstrates its complete lack of procedural and other safeguards with respect to its customers’ data,” it stated.
The suits also claimed that, among other things, Arby’s failed to delete cardholder information from its systems after authorizing transactions, failed to protect against malware and viruses, didn’t have an adequate firewall, didn’t monitor access to its network and cardholder data and failed to disclose the breach in a timely manner.
The company addressed the alleged breach in a statement earlier this month.
“Arby’s Restaurant Group, Inc. (ARG) was recently provided with information that prompted it to launch an investigation of its payment card systems. ARG immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” it said. “While the investigation is ongoing, ARG quickly took measures to contain this incident and eradicate the malware from systems at restaurants that were impacted.”
The credit unions are asking the courts to, among other things, require Arby’s to use industry-standard security protocols that encrypt transmission of cardholder data, use EMV technology and use third-party auditors to test its systems for weaknesses.
“If defendant suffers another massive data breach, plaintiff and the members of the class will likely incur hundreds of millions of dollars in damage,” Midwest America said.
