Schnucks Sued Over Malware AttackSuit Alleges Inadequate Breach Prevention, Notification
A class action lawsuit has been filed against Schnuck Markets Inc., the St. Louis-based grocery store chain that last month announced its point-of-sale network had been attacked by a "malicious computer code" designed to capture payment card details (see Retailer Says 'Code' Compromised Cards).
The lawsuit, filed April 8, seeks unspecified damages for consumers affected by the breach. It alleges Schnucks should have notified consumers immediately and directly about the breach. The suit also claims Schnucks' failure to adequately protect cardholder data exposed customers' personally identifiable information, ultimately resulting in deceptive and unfair practices, which is a violation of Missouri Merchandising Practices Act. As a result, affected cardholders now run the risk of having their identities stolen, the suit argues.
Schnucks acknowledged in an e-mail to BankInfoSecurity on March 26 that customer complaints about fraud linked to payment cards used at its stores prompted it to launch an investigation. A few days later, on March 30, Schnucks issued a statement confirming an attack, after a forensics firm had been brought in and discovered malicious code within Schnucks' POS network.
In that statement, which was e-mailed to media and posted on Schnucks' corporate site, the grocery store chain said it had notified the Missouri Attorney General's Office of the breach and was working with local law enforcement to investigate what happened. At no time, however, did Schnucks state on which date it launched its investigation, nor when it detected a possible breach.
Schnucks, which operates about 100 stores in five states, did not respond to BankInfoSecurity's request for a comment about the lawsuit. But in an April 7 statement posted to the corporate site, Schnucks notes that it did not become aware of the cyberattack that struck its network until March 28, after an investigation was launched by Mandiant.
"Schnucks did not know on March 15 that it had been the victim of a cyberattack," the company says. Rather, Schnucks was informed by credit card companies on Friday, March 15 that banks had detected fraud on 12 different credit cards that had been used at Schnucks. We immediately began an investigation, and engaged forensic investigators from Mandiant, the leading payment card industry forensic investigation firm. When Mandiant found the first indication of a cyberattack on March 28, Schnucks' IT department worked with Mandiant for the next 36 hours to contain the incident and block any further access to payment card data."
Reaction to Suit
Class action lawsuits in the wake of breaches, while common, are rarely successful, says attorney David Navetta, a data breach expert. That's because consumers typically cannot prove substantial losses tied to the breach, he says.
"In most cases for credit card breaches, the cardholder is not out of pocket any amount," he says.
The lawsuit also references the potential for identity theft, Navetta says, but that's not easily linked to the compromise of payment cards.
"Theft of credit card numbers, by itself, cannot lead to ID theft," Navetta says. "To me this looks like many other cases that were dismissed relatively early. I expect a motion to dismiss to be filed fairly soon, and then we will see if this case has any legs."
Fraud expert Avivah Litan, an analyst at the consultancy Gartner, says most class action lawsuits against retailers and processors prove fruitless.
"It is very difficult to show damage against cardholders, since they are protected by law - Regulation Z for credit cards and Regulation E for debit cards - in addition to Visa and MasterCard liability protections," Litan says. "Consumers, while greatly inconvenienced, almost never suffer financial damages, so it's a losing argument, in my opinion, and has been stated as such by judges in the past judging similar cases."
Lawsuit Claims ID Theft Connection
The lawsuit alleges consumers affected by the breach are now susceptible to ID theft, and it questions whether Schnucks was in compliance with the Payment Card Industry Data Security Standard at the time of the attack.
Schnucks has not indicated whether it was PCI compliant at the time of the breach, but says it was compliant at the time of its most recent audit, which was conducted in November 2012.
Litan says retailers of Schnucks' size invest thousands of dollars annually to ensure compliance is maintained. The problem: Despite checkbox compliance, retailers are still getting breached, she says.
"The attacks continue to succeed against PCI-compliant companies, a phenomenon that is incredibly frustrating to companies that spend millions of dollars to secure their systems for PCI," she says.