Mapco Express (NYSE:DK), the convenience-store chain that discovered a major payment-card data breach in May, has been hit with a class-action lawsuit over the incident, according to the Tuscaloosa News. But the named plaintiff doesn't actually claim he was a victim of fraud due to the breach.
On May 6, Mapco said that malware was discovered in its payment systems that may have scooped up payment card data from any of the chain's 377 stores in the southeastern U.S. during certain weeks in March and April.
Plaintiff Ian Yeager's complaint claims that the company was negligent in allowing customers' financial information to be compromised. The lawsuit asks for compensation for any customers affected. But the lawsuit "does not state whether Yeager was a victim of fraud," the newspaper reported.
If ever there was proof of why most retailers are so resistant to going public about security breaches—and why they so carefully couch every statement about breaches with "may" and "might"—this is it.
That, of course, is exactly what Mapco did when it announced the breach. The chain said the malware "may have been active" and card information "may have been compromised." It sounds overly cautious, since the chain's forensic examination has resulted in a very likely scenario in which malware planted in POS systems captured data somewhere between the PINpad and the card processor and forwarded it to thieves.
All of that may well have happened. But at this point, Mapco hasn't admitted it, which makes the success of the breach hypothetical—and any reason to compensate anyone who isn't an actual victim of fraud due to the breach even more hypothetical.
It's in everyone's interest for retailers to make breaches public as quickly as they can. That helps banks and customers protect themselves, tips off other retailers to search for similar breaches, and gives a heads-up to anyone who might (on an outside chance) want to come forward with pertinent evidence. In a perfect world, a quick breach announcement would leave thieves with a horde of payment card numbers that are useless because they've been replaced.
Unfortunately, in the real world, a quick breach announcement just means a quick lawsuit by someone who hasn't even been victimized.
- See this Tuscaloosa News story
C-Store Chain Mapco Express Hit With Remote Access Breach
Regional Grocery Chain Raley's Hit By Network Breach; Payment Card Data Likely Stolen
Schnuck's: 2.4 Million Cards Were Stolen In Cyberattack