A credit union has hit Arby’s Restaurant Group with a proposed class action alleging that the company failed to beef up its cybersecurity, Reuters reported this week.
The move follows a major data breach that may have affected some 355,000 credit and debit cards and hurt thousands of card issuers across the United States.
Filed by the Indiana based Midwest America Federal Credit Union, the lawsuit seeks damages for the costs of investigating and refunding fraudulent charges and replacing cards affected by the breach.
The malware breach reportedly happened between October 25 and January 19, and would have allowed hackers to steal data as cards were swiped at hundreds of Arby’s cash registers.
Dan Berger, the CEO of the National Association of Federally-Insured Credit Unions, called the ongoing waves of retail data breaches “a national nightmare” and reiterated the organization’s call for a national data security standard for retailers.
“Last year, the number of data breaches shattered all records and climbed 40% higher than reported in 2015 and there is no sign of the criminals letting up. In 2017, we have already hit 110 breaches, a 36% percent hike over the same time last year,” said Berger.
Commenting on the breach at Arby’s, Oliver Pinson-Roxburgh, EMEA director at Alert Logic, a leading cloud security provider, said:
“This shows once again that a fundamental change in our approach to data security is required across the board.
“In many respects organisations need to shift their focus to the view of “when” and not “if” a data breach or attack will occur. We can no longer rely on our point security tools to remain effective in isolation.
“It pains me to says this,” he told Retail Risk News, “having worked on point security tools for most of my career.”
Pinson-Roxburgh said fraud resulting from data breaches in the retail sector are taking an average of 207 days to detect, and the detection is normally made by an acquiring bank. This can be because criminals do not take advantage of breaches immediately, he said, but also reflects a general lack of security awareness in most retail businesses.
Security strategy needs to be intelligence driven, says Pinson-Roxburgh, combining big-data analytics poised to detect indicators of compromise combining the wealth of data across all security toolsets, identifying both “sledge hammer” and “needle-in-haystack” breach styles.
“Equally importantly how well organisations protect their “data at rest” will go a long way in helping give customers the assurance that the best was done to protect their data.
“This does highlight the need for consumers to take the lead in the fight against cyber-crime, by continuously replacing cards on a regular (annual if not twice yearly) basis and immediately posting any notification of a data breach at an organisation where transactions will have been made.”