More Class-Action Suits Brought Against MAPCO Over Hacking

BRENTWOOD, Tenn. -- MAPCO Express is now facing three class-action lawsuits in the wake of a malware attack that reportedly compromised the credit and debit card information of certain customers. The suits allege that the security breach exposed payment details on hundreds of debit and credit cards, according to a report by BankInfoSecurity.com.

As CSNews Online previously reported, MAPCO announced in May that malware allowed third-party hackers to access the payment card processing systems of its convenience stores between March 19-25, April 14-15 and April 20-21.

When the company discovered the attack, it took steps to disable the malware and hired a nationally recognized forensics security investigations firm to determine whether an information breach had occurred, the nature of the malware and whether payment card information may have been compromised. MAPCO also took steps to further strengthen the security of its payment card processing systems to block information security attacks.

The three class-action suits seek unspecified damages for financial losses linked to fraud, as well as monetary compensation for the identity theft and credit reporting burden the exposed cardholders now face.

On July 3, MAPCO filed a motion to have two of the suits dismissed. The retailer said the suits filed on behalf of Brooke Davis on June 14 and Ian Yeager on June 17 are identical to the first suit filed May 14 on behalf of Brian Burton. "All three actions seek the same relief on behalf of the same putative class against MAPCO," the motion states. "The class definitions are practically word-for-word identical."

According to the BankInfoSecurity.com report, one of the suits pegs the MAPCO breach costs at upwards of $5 million. Two of the plaintiffs, Davis and Burton, claim fraudulent transactions resulted from the compromise. All three suits allege that MAPCO and its parent company Delek US Holdings -- also named in the claims -- failed to adequately protect customer accounts and did not notify the public in a timely manner.

"The defendant had a duty to timely disclose the data compromise to all customers whose credit and debit card information and other non-public information was, or was reasonably believed to have been, accessed by unauthorized persons," one filing states. "Class members were harmed by [the] defendant's delay because, among other things, fraudulent charges have been made to class members' accounts."

In a July 8 statement provided to Information Security Media Group, MAPCO said its internal investigation is complete. "The investigation by law enforcement officials is ongoing and we intend to cooperate as needed, but defer any comment regarding the criminal investigation to them," the company stated. "Since the incident, MAPCO has worked with an external consultant to recommend and implement additional security precautions to better protect the integrity of our transactions."

Those precautions included the implementation of new monitoring software and a robust authentication system, MAPCO noted. "Numerous other policy and procedure changes have been implemented to fortify the IT network perimeter," the company added.

"While no system is impervious to determined criminal hackers, we are confident that we have appropriate systems in place to guard against data theft," MAPCO concluded. "We will continue to be vigilant about our security measures going forward and want to reassure customers that we value their business and will continue to act responsibly with the trust they place in us in the course of everyday business."