Macaroni and Malware: Hundreds of Noodles & Company Locations Hacked, Exposing Consumer Financial Information

In the wake of Wendy’s announcement of a data breach in its point-of-sale system, Noodles & Company recently announced that it too was a victim of a cyber-attack, which may have resulted in access to thousands of customers’ debit and credit card data. Noodles & Company’s June 28, 2016 press release identifies restaurant locations in 27 states and Washington DC in which data security may have been breached.

In its press release, Noodles & Company states that it began investigating on May 17, 2016, after its credit card processor reported “unusual activity.” It immediately hired a third-party forensic expert to investigate, and on June 2, 2016, it discovered evidence of “suspicious activity on its computer system that indicated a potential compromise.”

Noodles & Company states that it is “moving forward on a number of fronts” in response to the data breach, including working with third-party forensic investigators, operating with the United States Secret Service, and providing guidance to guests who may have been affected. In a subsequent press release, Noodles & Company asserts that it “contained the incident once the malware was identified and credit and debit cards used at the affected locations identified are no longer at risk from the malware involved in [the] incident.” Nonetheless, it will not be a surprise if Noodles & Company suffers the same fate as Wendy’s: defending a federal consumer class-action lawsuit.

We will continue to monitor and report on this story as it develops.

Addressing the Wendy’s Data Breach Proves Difficult Due to Size of Breach and Company’s Structure

As discussed earlier, Wendy’s announced that it was investigating a possible breach of its point of sale systems (“POS”), after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. An earlier Wendy’s press release stated “[b]ased on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015.”

It has been reported by Security expert Brian Krebs that “some breached Wendy’s locations were ‘still leaking’ customer card data at the end of March 2016 and into early April.” A statement by Wendy’s spokesman Bob Bertini said, in response to questions about the duration of the breach at some stores, “[a]s you are aware, our investigator is required to follow certain protocols in this type of comprehensive investigation and this takes time. Adding to the complexity is the fact that most Wendy’s restaurants are owned and operated by independent franchisees.”

It has been opined that the extent and duration of the breach was a result of its size. Specifically, Tod Beardsley, security research manager at cybersecurity specialist Rapid 7, stated that the “fact that the breach affected only 5 percent of Wendy’s locations was likely a contributing factor to its success. A small footprint is much more difficult to detect, since the patterns resulting from the fraud take longer to materialize.” Unfortunately, the detection time allows the individuals involved to go on spending sprees comprised of unauthorized purchases well after the breach took place.

At this time it seems investigators are still trying to wrap their arms around the problem so we may not know the extent and duration of this breach for some time.

Wendy’s May Face Liability for Failing to Upgrade Payment Systems

As was previously reported, October 1, 2015 signaled a fraud “liability shift” between credit card issuers and merchants, in which liability for fraudulent credit card transactions began falling on whichever party used the lower level of security and compliance with EMV standards. While merchants are not required to adopt EMV technology (which reads chip cards, as opposed to the less secure magnetic strip cards), in the event of a data breach, their failure to do so can now render them responsible for the costs associated with the fraudulent use of stolen credit card information. This liability shift has created a very strong incentive for merchants to implement EMV chip card readers.

For companies that have not opted to make the EMV transition, lawsuits may begin to abound. One of the first suits targeting a retailer for its failure to keep up with industry standards was filed on February 8, 2016, in the wake of a possible data breach at the nationwide fast food chain, Wendy’s.

On January 27, 2016, Wendy’s announced that it was investigating a possible breach of its point of sale systems, after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. Wendy’s hired a cybersecurity firm to investigate the potential breach – which involved transactions in late 2015 – who discovered malware designed to steal customer payment data on computers that operate Wendy’s payment processing systems in certain locations.

An Orlando, Florida man purporting to be a victim of the Wendy’s breach initiated a class action lawsuit against the company on February 8, 2016, claiming that Wendy’s “lackadaisical” and “cavalier” security measures allowed his debit card data to be stolen and used to purchase nearly $600.00 of merchandise from various retailers. The lawsuit alleges that Wendy’s could have prevented the breach, yet maintained a system that was insufficient and inadequate to protect customers’ data. An attorney representing the plaintiff suggested that Wendy’s failed to incorporate technology allowing for use of chip-enabled cards, and that the lawsuit may expose the danger of failing to adopt such a system.

The threat of similar class action litigation may serve as a wake-up call for retailers who have failed or otherwise delayed in implementing up-to-date security measures. The suit, Jonathan Torres vs. The Wendy’s Company, can be found here.

Hacking Major League Baseball

The FBI and the U.S. Justice Department are investigating whether St. Louis Cardinals officials hacked into the Houston Astros’ internal networks. This appears to be one of the first suspected cases of corporate espionage relating to a professional sports team hacking the database of another team.

According to numerous reports, FBI investigators appear to have uncovered evidence that the Cardinals breached the Astros’ databases, and one database in particular known as “Ground Control,” to obtain information and internal discussions about trades, proprietary statistics and scouting reports. This information could be used for a variety of purposes including knowing what players are being scouted, the team’s scouting methods and other proprietary information of the team.

Reports also indicate that the attack may have been launched to cause problems for Astros’ general manager Jeff Luhnow, who left the Cardinals in 2011. According to some reports, the Cardinals’ officials were concerned that Luhnow may have taken the team’s proprietary information to the Astros. Speculation is that the Cardinals may have simply tried a series of passwords (Luhnow has denied that he used similar passwords while working for the two teams) until they were able to gain access to the Astros’ network. Whether true or not, this is another example of why passwords should not be recycled or used universally across different platforms and applications. Rather, users should use different passwords, mix uppercase, lower case and symbols.

We will continue providing updates to the investigation of the House of (the) Cards, as they occur.

FCC Fines Prompt AT&T to “Zealously Guard” Customers’ Personal Information

On April 8, 2015, the Federal Communications Commission (“FCC”) announced its largest ever data security settlement requiring AT&T to pay $25 million to resolve an investigation into data security breaches at its call centers in the Philippines, Mexico, and Colombia. AT&T’s privacy violations involved the unauthorized disclosure of the names, full or partial Social Security Numbers, and other protected customer proprietary network information (“CPNI”) of nearly 280,000 U.S. customers.

The initial focus of the FCC’s investigation was a 168-day long breach beginning in November 2013 at AT&T’s call center in Mexico where thousands of customer accounts were accessed and sold without authorization. The buyers, who were likely trafficking stolen cell phones, submitted nearly 291,000 handset unlock requests to AT&T’s Mexico call center. Similar breaches occurred in Columbia and the Philippines, where a combined total of approximately 211,000 customer accounts were accessed without authorization.

In response, the FCC brought charges of violations of Sections 222 and 201(b) of the Communications Act (the “Act”) against AT&T for failure to timely report the breaches. Section 222 of the Act requires companies like AT&T to take every reasonable precaution to protect customer data, including CPNI, and to take reasonable measures to discover and report attempts to access CPNI, including notifying law enforcement “as soon as practicable, in no event later than seven (7) business days, after reasonable determination of the breach.” Section 201(b) of the Act prohibits unjust and unreasonable practices.

4-28AT&T notified law enforcement of the Mexico call center breach on May 20, 2014, over a month after it began its internal investigation, and several months after the actual breach. In an effort to mitigate the breach, AT&T notified victims of the breach and the California Attorney General, terminated its relationship with the Mexico call center, mandated the uniform use of partial social security numbers in all call centers, and developed new customer account monitoring and phone access/unlock policies.

The FCC settlement also mandates the implementation of a permanent, strict compliance plan that requires AT&T to:

  1. designate a senior compliance manager who is a certified privacy professional;
  2. complete a privacy risk assessment reasonably designed to identify internal risks of unauthorized access, use, or disclosure of personal information and CPNI;
  3. implement an information security program reasonably designed to protect CPNI and personal information from unauthorized access, use, or disclosure;
  4. prepare a compliance manual to be distributed to all covered employees and vendors; and
  5. regularly train employees on its privacy policies and applicable privacy legal authorities.

AT&T is required to report any noncompliance to the FCC and must file regular compliance reports for the next three years.

The FCC has taken the position that phone companies are expected to “zealously guard” their customers’ personal information and that the FCC “will exercise its full authority against companies that fail to safeguard the personal information of their customers.” This position tracks the trend of active enforcement of consumer data security breaches over the past year. To that end, companies in possession of CPNI and other protected customer information should heed the Agreement and “look to [it] as guidance” for protecting customer information and avoiding liability under Sections 222 and 201(b) of the Act.

We expect that other telephone companies/carriers will continue to evolve and implement heightened security measures in response to this settlement, and the FCC will surely investigate those companies who are not in compliance.

Image courtesy of Flickr by Michael Weinberg

FTC Charges Data Broker with Theft of Consumers’ Information and Money from Accounts

According to a recent Federal Trade Commission complaint, a data broker sold sensitive personal information of hundreds of thousands of consumers – including Social Security and bank account numbers – to scammers who allegedly debited millions from their accounts.  The complaint alleges that data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization.

According to the FTC’s website and the complaint, these defendants would collect hundreds of thousands of payday loan applications from payday loan websites.  These website applications, including those bought and sold by LeapLab, contained consumers’ sensitive financial information, names, addresses, phone numbers, Social Security numbers and bank account numbers including routing numbers.

The FTC’s complaint alleges that certain non-lender third parties included marketers that made unsolicited sales offers to consumers via email, text message, or telephone calls.  According to the FTC’s complaint, the defendants had reason to believe these marketers had “no legitimate need” for the sensitive information they were selling. The defendants in the case are alleged to have violated the FTC Act’s prohibition on unfair practices.

The FTC notes that it files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the FTC that a proceeding is in the public interest.  We will monitor this case and provide further updates of interest.

Image courtesy of Flickr by John Taylor.

Dropbox Accounts Exposed

Business Insider and many others are reporting that hackers have acquired nearly 7 million account usernames and passwords. News coverage of the recent breach of Dropbox account security reveals that hackers have provided a “teaser” of 400 accounts and associated passwords on pastebin.com, which as of this writing shows that there have been more than 171,976 views.

Dropbox has explained that its services are fully encrypted, and denies responsibility for the leak of emails and passwords, pointing to third-party services that exposed the credentials. Dropbox also claims that all of the passwords that were hacked are expired. Dropbox, for its part, encourages users to enable two-step verification, which should harden account security.  In fact, the nice folks at Business Insider prepared a slideshow to assist in how to implement two-step verification security here.

Professionals who use cloud servers to provide medical, legal and financial services should understand that doing so may be at their own risk, as a cloud server provider or host may not provide indemnification or other recourse in the event of privacy and data breaches. Be sure to carefully read server or cloud provider contracts to assess the scope of any limitation of liability (typically a monetary limit and consequential damages disclaimer) that may be inadequate for a customer’s potential losses in the wake of a breach or other unauthorized disclosure of information.  As with all gathering, storage and use of personal and confidential information, there must be safeguards and risk assessment at each level to avoid being hit with the full liability of a data breach.

Image courtesy of Flickr by Dropbox In 30 Minutes

Does the Attorney-Client Privilege Shield Data Breach Investigations?

Whenever a privacy breach occurs at a company, time is of the essence. The theft could involve stolen sensitive financial data, credit card information, health data, Social Security information or other personal identifying information relating to customers and/or employees of the company.

Remember the attorney-client privilege is important when engaging with investigatory service providers that will create documentation such as “incident” reports or “computer forensics” reports. Since hiring outside counsel can help ensure that the investigation of the breach is protected by the attorney-client privilege, it also is important to know the limits of this protection.

The attorney-client privilege protects communications concerning the breach investigation; the privilege does not protect the fact that the breach occurred.  Furthermore, the attorney-client privilege cannot be used as a shield to void any applicable notification requirements under state and federal law.  Utilize your company’s outside counsel as a part of your data breach team to analyze the type of data breach at issue.  If required, the notification itself should be sent to all parties affected and should be issued in a clear, succinct, and precise manner.

Finally, if you hire a forensics examiner, have outside counsel engage the forensics team so that such investigation can also be protected by the attorney-client privilege.  Bear in mind that the forensics team should ideally have your top information technology team members, your in-house counsel, if any, your outside counsel and any key members of your public relations team.  Being prepared before a data breach will minimize the level of business disruption and your potential damages.