Schnucks Didn't Break Law, Is Also Victim in Credit Card Breach, Attorney General Says

[Erica Absetz <erica () riskbasedsecurity com>]

http://blogs.riverfronttimes.com/dailyrft/2013/07/schnucks_credit_card_attorney_general.php

The class-action lawsuits against Schnucks allege that the company was
negligent in its handling of a massive security breach that
potentially compromised millions of credit and debit cards. Customers
seeking damages across Missouri and Illinois argue that the company
had an obligation to tell patrons sooner than it did.

The Missouri Attorney General's office, however, has a different take
on the breach: Schnucks is a victim, too.

"After reviewing the records and speaking with forensic investigators,
we did not find that Schnuck Markets violated Missouri laws regarding
data security," Nanci Gonder, spokeswoman for the attorney general,
tells Daily RFT in an e-mail. "We are of the opinion that Schnuck
Markets was itself a victim of criminal wrongdoing which remains under
investigation by authorities."

See also:
- Schnucks: Credit Card Security Breach May Have Impacted 2.4 Million People
- Schnucks' Biggest Fans: St. Louis Couple Gets Married At Des Peres Supermarket
- Schnucks Lawsuit: Could Company Owe Millions of Dollars To Affected Customers?

As we reported back in April, Schnucks announced that a "cyber attack"
between December of 2012 and March 29 of this year impacted a majority
of the chain's 100 supermarkets and that shoppers during that
timeframe who used credit or debit cards should monitor their accounts
or consider getting new cards.

The company is now facing multiple class-action lawsuits from
attorneys making a range of allegations of wrongdoing on behalf of the
company.

via

But from the perspective of the Attorney General's office, Schnucks
did not do anything illegal -- a statement which will likely be useful
to the company as it continues to argue in court that it should not be
held responsible.

Gonder explains to Daily RFT that the attorney general's investigation
was conducted over several months:

Investigators from the Attorney General's Office kept in contact with
officials from Schnuck Markets for several months as information was
gathered. As required by their agreements with credit card companies,
Schnucks commissioned an independent forensic investigation firm to
thoroughly examine their network, identify the source and cause of the
breach, and submit a detailed report of their findings. Our
investigators, in conjunction with investigators from the Illinois
Attorney General's Office, interviewed the independent analyst who
examined the breach and reviewed the thorough report the analyst
prepared.

One of the suits brought on behalf of an Illinois woman alleges
violations of the Illinois Consumer Fraud Act as well as the Illinois
Personal Information Act.

Schnucks apology.

Schnucks has argued that the suits are without merit and that it
informed customers as soon as it possibly could of the breach.

Attorney Jeff Millar, leading one of the Illinois suits, tells Daily
RFT that new shoppers are frequently joining the class-action suit and
are frustrated with the public apologies from the company.

"Customers are not happy," he says. "They've had to change all their
cards.... They want to see...some remedial measures taken by
Schnucks."

Asked about the latest developments in the litigation earlier this
week, a Schnucks spokeswoman deferred to the company's past comments
on the breach.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.