MAPCO Express Sued Over Malware Attack

Class Action Suits Raise Questions About Breach Losses
MAPCO Express Sued Over Malware Attack

Three class action lawsuits have been filed against MAPCO Express, a convenience store chain, in the wake of a malware attack the suits allege exposed payment details on hundreds of debit and credit cards.

See Also: How to Hunt Threats Like Elite Defenders with Open NDR + MITRE ATT&CK®

Following discovery of the attack, MAPCO noted that all of the 377 convenience stores that connect to its corporate network may have been affected. Card data associated with transactions conducted between March 14 and April 21 was likely impacted, the company said.

The suits seek unspecified damages for financial losses linked to fraud and monetary compensation for the identity theft and credit reporting burden the exposed cardholders now face.

On July 3, MAPCO filed a motion to have two of the suits dismissed. MAPCO claims the suits filed on behalf of Brooke Davis on June 14 and Ian Yeager on June 17 are identical to the first suit, which was filed May 14 on behalf of Brian Burton. "All three actions seek the same relief on behalf of the same putative class against MAPCO," the filing states. "The class definitions are practically word-for-word identical."

MAPCO executives declined to offer further comment about the pending litigation.

Breaches: Assessing the Loss

One of the lawsuits mentions the breach costs involved are in excess of $5 million. But experts say determining the actual total cost of a retail network breach is extremely difficult. No one, including the card brands, has a good handle on exactly how much is lost as a result of fraud and post-breach expenses after a retail network attack, says Jim Butterworth, chief security officer of HBGary, a forensics company that handles breach investigations and analyzes malware attacks.

"I don't know that there is a hard-fast number on what the losses actually are," Butterworth says. "You've got the regulatory costs, the expense of issuing new cards and providing credit counseling to the victims, which in and of itself can cost between $44 and $99 per person. Then you have the legal loss and the actual expense of the vendors or experts you're going to hire for investigation. That's all before you factor in the loss related to fraud itself."

A similar suit filed in April against Schnuck Markets Inc. following a malware attack estimates that 500,000 cards were exposed, but it does not offer an estimate of total losses.

Schnucks has refuted the $80 million loss estimate cited in some media reports about the lawsuit. "In the past, you may have seen me speak to the $80 million estimate," says Schnucks spokeswoman Lori Willis. "The number was pulled from figures in our filing that were based on the plaintiffs' lawyer's estimates. We believe that the entire suit is without merit. We have offered no damage estimates."

Attorney David Navetta, co-founder of the Information Law Group, says the $80 million loss figure is likely exaggerated is to garner attention for the case.

But Avivah Litan, a financial fraud expert and analyst for consultancy Gartner, says that figure could be a good estimate, depending on the number of cards actually compromised. "Something like 10 percent of breached cards are actually used for fraudulent transactions after they are compromised," she says. "And the average amount of loss just for the fraud is about $700 per card."

When all of the other expenses are factored in, the loss total adds up quickly, she says.

Butterworth estimates the amount lost to fraud per exposed card is more like $300 - but that's just one of many expenses. "It's the things you have to do after the breach that's going to drive the costs up," he says. "How big is your breach? How much public exposure did you get? Were there class action lawsuits and international suits?"

Most retailers do not have a handle on how much all of that could cost, and most are not well prepared to deal with the breach aftermath, Butterworth adds.

Claims Against MAPCO

Two of the MAPCO lawsuit plaintiffs, Davis and Burton, claim fraudulent transactions resulted from the compromise. And all three suits allege MAPCO and its parent, Delek US Holdings, also named in the claims, failed to adequately protect customer accounts and did not notify the public in a timely manner.

"The defendant had a duty to timely disclose the data compromise to all customers whose credit and debit card information and other nonpublic information was, or was reasonably believed to have been, accessed by unauthorized persons," one of the filings claims. "Class members were harmed by [the] defendant's delay because, among other things, fraudulent charges have been made to class members' accounts."

MAPCO on May 6 issued a statement acknowledging a network breach that likely affected purchases dating back to March.

"Upon discovering the issue, MAPCO took immediate steps to investigate the incident and further strengthened the security of its payment card processing systems to block future information security attacks," the company explains in its FAQ.

In a July 8 statement provided to Information Security Media Group, MAPCO says its internal investigation is complete.

"The investigation by law enforcement officials is ongoing, and we intend to cooperate as needed, but defer any comment regarding the criminal investigation to them," the company states. "Since the incident, MAPCO has worked with an external consultant to recommend and implement additional security precautions to better protect the integrity of our transactions."

Those precautions have included the implementation of new monitoring software and a robust authentication system, MAPCO says. "Numerous other policy and procedure changes have been implemented to fortify the IT network perimeter," the company adds.

"While no system is impervious to determined criminal hackers, we are confident that we have appropriate systems in place to guard against data theft," MAPCO states. "We will continue to be vigilant about our security measures going forward and want to reassure customers that we value their business and will continue to act responsibly with the trust they place in us in the course of everyday business."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.