Login Register Subscribe
Current Issue

Arby’s sued by credit card issuer over data breach

Reprints

Fast food restaurant chain Arby’s Restaurant Group Inc. is being sued by a Visa credit card issuer in a putative class action in connection with the data breach the company announced earlier this month.

The Atlanta-based fast-food chain had announced in a statement on its website that it was “recently provided with information that prompted it to launch an investigation of its payment card systems.” According to media reports, more than about 350,000 credit and debit cards have been impacted.

The lawsuit filed by Fort Wayne, Indiana-based Midwest America Federal Credit Union, which issues Visa payment cards, says, “Despite the threat of computer system intrusion, defendant systematically failed to comply with industry standards and its statutory and common law duties to protect the payment card data of its customers.”’

The lawsuit, which was filed in U.S. District Court in Atlanta on Feb. 10, and just publicized, said the costs and financial harm caused by Arby’s’ negligent conduct include canceling and reissuing compromised cards and reimbursing their members for fraudulent charges.

“Industry sources estimate that the fraudulent charges associated with this breach at Arby’s have been more concentrated than in other recent data breaches (e.g., Target Home Depot and Wendy’s) and caused plaintiff and other members of the class to suffer much greater losses,” said the lawsuit.

The lawsuit says it is estimated the exposure window for the breach of the computer system was from Oct. 25, 2016. to Jan. 19, 2017, or almost three months, and that indications are that credit and debit card information, such as cardholder names, primary account numbers, expiration dates and in certain instances PIN numbers may have been compromised.

The lawsuit charges Arby’s with negligence and seeks declaratory and injunctive relief.
A company spokesman could not immediately be reached for comment.