Less than a day after reporting a large-scale security breach that may have compromised customer credit-card information, Burgerville has been hit with a class-action lawsuit alleging the company was negligent in its cybersecurity practices.
The lawsuit was filed Wednesday in Multnomah County Circuit Court by plaintiff Cassandra Nelson on behalf of herself and other customers. The suit identifies Nelson as an Oregon resident who used a debit card to purchase food at multiple Burgerville locations in the Portland metro area in 2017 and 2018. Nelson is represented by Portland-based attorney Michael Fuller, a self-styled “underdog lawyer” who has represented employees and customers in several lawsuits against large companies.
Burgerville is headquartered in Vancouver and operates 42 restaurants in Oregon and Southwest Washington. The company revealed Wednesday morning that its computer network was compromised by malware at some point in September 2017, giving hackers access to the company’s computers and data on an ongoing basis. The company believes an international cybercrime group called FIN7 is responsible for the hack.
The hackers were able to access credit and debit card information from customer transactions including numbers, expiration dates and three-digit security codes. A Burgerville representative said the company runs debit card transactions as credit card charges without using Personal Identification Numbers, so no customer PINs are believed to have been stolen.
Burgerville said it was notified of a cybersecurity breach by the Federal Bureau of Investigation on Aug. 22 and began an internal investigation, but did not discover that the breach was still active until Sept. 19. The company says it first worked to identify all of the hackers’ pathways into its systems, then took all of its computers offline simultaneously in order to update them and close all the pathways. The operation was completed Sept. 30.
A company representative said Burgerville didn’t publicly disclose the hack until after it had finished repairing its systems in order to avoid potentially alerting the hackers and giving them an opportunity to create new covert pathways into the network.
Slow to disclose hack
Nelson’s lawsuit alleges the company failed to notify consumers about the data breach “in the most expeditious manner possible as Oregon law requires.” When contacted by The Columbian, Fuller expressed doubt about Burgerville’s stated timeline of events, and said that in previous cases his firm found that companies knew about data breaches long before disclosing them.
“The fact that [Burgerville] waited that long caused extra harm to some people,” he said. “Consumers would have had the chance to freeze their credit before the damage was done.”
The lawsuit also asserts that Burgerville failed to maintain adequate technology and cybersecurity to keep its network secure and protect customers’ credit and debit card information.
“Burgerville knew and should have known that failure to maintain adequate technological safeguards would eventually result in a massive data breach,” the lawsuit alleges. “Burgerville could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to.”
The lawsuit asks for a full accounting of how the hackers gained access to Burgerville’s systems and seeks a court order for Burgerville to preserve all documents and information related to the case. It also seeks relief for Burgerville customers’ economic losses in amounts to be decided by a jury.
Fuller said the value of the losses could vary by customer. For some people it could simply be the time needed to monitor their credit and replace their cards, while for others it could be costs stemming from identity theft and fraudulent credit card charges.
“It’s a huge mess, and it’s going to have to be monitored for years now, unfortunately,” he said.
Fuller said Nelson reached out to him shortly after the breach was announced and was able to identify several times when she had used a debit card at Burgerville, making her a “natural fit” for the case. They were able to file the lawsuit three hours after the announcement. But, Fuller said, the lawsuit will be amended to add several additional plaintiffs if Burgerville doesn’t settle the case.
“We’ve got dozens and dozens of people who have reached out in the past 24 hours,” he said on Thursday. “We’re going to give Burgerville the chance to do the right thing.”