On February 10, 2017, Midwest America Federal Credit Union (Midwest America) filed a class action complaint in the U.S. District Court for the Northern District of Georgia against Arby’s Restaurant Group, Inc. Midwest America’s complaint alleges that defendants failed to comply with Card Operating Regulations issued by the payment card industry (MasterCard, VISA, Discover, and American Express), allowing a major data breach to occur between October 25, 2016, to January 19, 2017. Midwest America’s complaint alleges that this breach affected thousands of issuers of credit and debit cards nationwide.
The data breach was first reported last week by cyber security expert Brian Krebs, who said in an online report that he was alerted to problems by banks and credit unions affected. Arby’s subsequently acknowledged the breach, telling him it involved malware on payment systems of its restaurants. In a statement on its website, Arby’s said it immediately notified law enforcement when it become aware of the breach and removed the malware.
The class action complaint alleges that the payment card industry issued Card Operating Regulations that mandate that Arby’s comply with industry standards. These standards require that all businesses upgrade to new card readers that accept EVM chip technology. EVM chip technology uses embedded computer chips to store payment card data. Every time an EVM card is used, the chip creates a unique transaction code that cannot be duplicated.
EVM technology increases payment card security, because, if stolen, the unique number cannot be used by hackers. The deadline for the installation of such systems was October 1, 2015. The class action alleges that Arby’s did not meet this deadline, as it has not installed chip card readers in its stores. The Card Operating Regulations dictate that businesses that continue to accept payment cards without chip readers will be liable for any damages as a result of data breaches.
The complaint alleges that Arby’s knew of the danger of not safeguarding its terminal network because Target, Home Depot and Wendy’s suffered similar data breaches. In 2015, Target agreed to pay $39.4 million to banks and credit unions in a suit relating to a 2013 data breach. Proposed class actions by banks and credit unions over Home Depot’s 2014 breach and Wendy’s 2015 breach are still pending in federal courts.
This recent breach demonstrates how difficult cyber security can be for large businesses that have seen a number of their competitors deal with large breaches and may have the resources to properly address cyber security concerns. This case, and other large scale breaches, may explain why smaller targets may dismiss cyber security safeguards based on the misconception that breaches only take place when there is a large amount of data at risk. However, it is important to keep in mind that many hackers have found smaller targets have lighter security than larger targets. Therefore, while large scale breaches are still taking place, there have been a number of recent examples of why smaller targets should continue to prepare for a cyber incident.