Oct 30, 2019 | Consumer Protection, Employment & Technology Archive
Kehoe Law Firm, P.C. Investigating Potential Claims on Behalf of Victims of Attack of One of Krystal’s Payment Processing Systems Used at Certain Krystal Restaurants
Kehoe Law Firm, P.C. is investigating potential claims on behalf of victims of a security incident that, according to the Krystal Company, “may have involved payment cards processed by a payment processing system used at certain [Krystal fast-food] restaurants between July through September 2019.”
If you believe you were a victim of Krystal’s data breach and have questions or concerns about Kehoe Law Firm’s data breach investigation or potential legal claims, please contact Kehoe Law Firm, P.C., Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], [email protected].
Komando.com reported (“Check your credit card! Fast food chain breached”) that “[t]he South’s version of White Castle is dealing with a data breach. The fast-food company is still trying to determine how many people were affected, but it does know payment information was stolen.” Further, Komando.com reported that “Krystal, the White Castle of the South, announced payment data was breached at a number of its restaurants. In a press release, the company admitted determining how many people were affected by the breach is difficult because its 342 locations use various payment processes.”
The Krystal Company’s “Notice of Potential Payment Card Incident” contained a list of its restaurant locations which might have been impacted by the payment card incident and stated, among other things, that “[a]lthough its investigation is in its early stages, [Krystal has] learned that the security incident may have involved payment cards processed by a payment processing system used at certain restaurants between July through September 2019.”
Krystal’s FAQs about the data attack stated, among other things, that the “security incident may have impacted payment cards, including debit and credit card numbers,” and Krystal is “still determining specific locations and dates for each restaurant involved in the attack.”
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Oct 3, 2019 | Consumer Protection, Employment & Technology Archive
Hy-Vee’s Investigation Identified The Operation of Malware Designed to Access Payment Card Data – Kehoe Law Firm, P.C. Investigating Potential Claims on Behalf of Victims of Hy-Vee’s Data Breach.
On October 3, 2019, Hy-Vee reported findings from the investigation of the payment card data incident reported by Hy-Vee in August 2019. According to Hy-Vee’s announcement:
After detecting unauthorized activity on some of [Hy-Vee’s] payment processing systems on July 29, 2019, [Hy-Vee] immediately began an investigation and leading cybersecurity firms were engaged to assist. [Hy-Vee] also notified federal law enforcement and the payment card networks.
The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (“POS”) devices at certain Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants (which include [Hy-Vee’s] Hy-Vee Market Grilles, Hy-Vee Market Grille Expresses and the Wahlburgers locations that Hy-Vee owns and operates, as well as the cafeteria at Hy-Vee’s West Des Moines corporate office). The malware searched for track data (which sometimes has the cardholder name in addition to card number, expiration date, and internal verification code) read from a payment card as it was being routed through the POS device. However, for some locations, the malware was not present on all POS devices at the location, and it appears that the malware did not copy data from all of the payment cards used during the period that it was present on a given POS device. There is no indication that other customer information was accessed.
The specific timeframes when data from cards used at these locations involved may have been accessed vary by location over the general timeframe beginning December 14, 2018, to July 29, 2019 for fuel pumps and beginning January 15, 2019, to July 29, 2019, for restaurants and drive-thru coffee shops. There are six locations where access to card data may have started as early as November 9, 2018, and one location where access to card data may have continued through August 2, 2019. A list of the locations involved and specific timeframes are available below. For those customers Hy-Vee can identify as having used their card at a location involved during that location’s specific timeframe and for whom Hy-Vee has a mailing address or email address, Hy-Vee will be mailing them a letter or sending them an email.
Payment card transactions were not involved at [Hy-Vee’s] front-end checkout lanes; inside convenience stores; pharmacies; customer service counters; wine & spirits locations; floral departments; clinics; and all other food service areas which utilize point-to-point encryption technology, as well as transactions processed through Aisles Online.
During the investigation, [Hy-Vee] removed the malware and implemented enhanced security measures, and [Hy-Vee] continue[s] to work with cybersecurity experts to evaluate additional ways to enhance the security of payment card data. In addition, [Hy-Vee] continue[s] to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring. [Emphasis added.]
Hy-Vee’s announcement contains a “Location Look Up Tool,” where individuals can determine the “specific Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants [which] were identified during [Hy-Vee’s] investigation as well as the specific time frames.” Hy-Vee also stated that not all of its locations were involved in the data incident, as well as that the data incident did not affect payment card systems inside of its convenience stores/gas stations.
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Sep 10, 2019 | Consumer Protection, Employment & Technology Archive
On September 8, 2019, Charlotteagenda.com reported (“Boy Scouts’ information exposed during brief data breach”) that “. . . Trails End said it notified Boy Scouts of America and local councils of ‘a data incident’ that a web developer noticed. Certain information — including children’s full names, dates of birth, email addresses, phone number, parent names, favorite product and affiliation (council, district, unit) — was visible through a search.”
According to the news report, “Boy Scouts nationwide sell popcorn to raise funds for activities like camping trips,” and “[t]o facilitate the sales process, Boy Scouts of America uses a third-party fundraising organization called Trails End.” Further, according to Charlotteagenda.com, “[i]t’s also unclear how long the information was exposed,” as well as “how many users’ information was vulnerable during the ‘incident,” and whether it was a local issue or a national one.”
On September 9, 2019, scmagazine.com reported (“North Carolina Boy Scouts PII compromised“) that “[a] third-party vendor that handles sales for the Boy Scouts of America suffered a data breach exposing the PII of up to 12,900 Mecklenburg County Council scouts.” Additonally, scmagazine.com reported that Trails End last week told the North Carolina Scouts that information including children’s full names, dates of birth, email addresses, phone number, parent names, favorite product and affiliation (council, district, unit) were compromised, according to the Charlotte Agenda.”
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Aug 21, 2019 | Consumer Protection, Employment & Technology Archive
Exposed Database Reportedly Found On One of MoviePass’s Subdomains – Records Included Sensitive User Information
On August 20, 2019, TechCrunch.com reported that
. . . ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password.
Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company’s many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real time. Many of the records were normal computer-generated logging messages used to ensure the running of the service — but many also included sensitive user information, such as MoviePass customer card numbers.
These MoviePass customer cards are like normal debit cards: they’re issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies. For a monthly subscription fee, MoviePass uses the debit card to load the full cost of the movie, which the customer then uses to pay for the movie at the cinema. [Emphasis added.]
Further, TechCrunch.com reported that
[TechCrunch.com] reviewed a sample of 1,000 records and removed the duplicates. A little over half contained unique MoviePass debit card numbers. Each customer card record had the MoviePass debit card number and its expiry date, the card’s balance and when it was activated.
The database had more than 58,000 records containing card data — and was growing by the minute.
[TechCrunch] also found records containing customers’ personal credit card numbers and their expiry date — which included billing information, including names and postal addresses. Among the records [TechCrunch] reviewed, [TechCrunch] found records with enough information to make fraudulent card purchases.
Some records, however, contained card numbers that had been masked except for the last four digits.
Importantly, TechCrunch.com reported that “[i]t’s understood that the database may have been exposed for months, according to data collected by cyberthreat intelligence firm RiskIQ, which first detected the system in late June.” [Emphasis added.]
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Aug 19, 2019 | Consumer Protection, Employment & Technology Archive
Hy-Vee Supermarket Chain Issues “Notice of Payment Card Data Incident”
On August 14, 2019, Hy-Vee published a “Notice of Payment Card Data Incident,” which, among other things, stated that Hy-Vee is investigating:
. . . a security incident involving [its] payment processing systems that is focused on transactions at some Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants, as well as to provide information on the measures [Hy-Vee has] taken in response and steps customers may consider taking as well.
After recently detecting unauthorized activity on some of [its] payment processing systems, [Hy-Vee] immediately began an investigation with the help of leading cybersecurity firms. [Hy-Vee] also notified federal law enforcement and the payment card networks. [Hy-Vee believes] the actions [it has] taken [has] stopped the unauthorized activity on [its] payment processing systems. [Hy-Vee’s] investigation is focused on card transactions at our fuel pumps, drive-thru coffee shops, and restaurants (which include our Market Grilles, Market Grille Expresses and the Wahlburgers locations that Hy-Vee owns and operates). These locations have different point-of-sale systems than those located at [Hy-Vee] grocery stores, drugstores and inside [its] convenience stores, which utilize point-to-point encryption technology for processing payment card transactions. This encryption technology protects card data by making it unreadable. Based on [Hy-Vee’s] preliminary investigation, [Hy-Vee believes] payment card transactions that were swiped or inserted on these systems, which are utilized at [its] front-end checkout lanes, pharmacies, customer service counters, wine & spirits locations, floral departments, clinics and all other food service areas, as well as transactions processed through Aisles Online, are not involved. [Emphasis added.]
On August 15, 2019, supermarketnews.com reported (“Hy-Vee notifies customers of payment data breach“) that
Supermarket chain Hy-Vee has revealed that the credit card payment information of some of its customers has been exposed in a recent data breach. The exact number of customers and locations has not yet been determined.
The West Des Moines, Iowa-based operator of 245 stores says there was a “security incident” involving the payment processing systems at its fuel pumps, drive-through coffee shops and restaurants. The restaurants include its Market Grilles, Market Grille Express and company-owned Wahlburgers locations operating at its stores. [Emphasis added.]
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
Aug 9, 2019 | Consumer Protection, Employment & Technology Archive
StockX Reports That an Unknown Third-Party Gained Access to Customer Data
On August 3, 2019, StockX, “the world’s first stock market for things – a live ‘bid/ask’ marketplace,”posted that StockX was
. . . alerted to suspicious activity potentially involving customer data. Upon learning of the suspicious activity, [StockX] immediately launched a comprehensive forensic investigation and engaged third-party data incident and forensic experts to assist. Though [StockX’s] investigation remains ongoing, forensic evidence to date suggests that an unknown third-party was able to gain access to certain customer data, including customer name, email address, shipping address, username, hashed passwords, and purchase history. From [StockX’s] investigation to date, there is no evidence to suggest that customer financial or payment information has been impacted. [Emphasis added.]
StockX’s ”Notice of Data Breach” sent to its customers stated, among other things, the following:
What Happened?
On July 26, 2019, StockX was alerted to suspicious activity potentially involving customer data. [StockX] immediately launched a forensic investigation and engaged experienced third-party experts to assist. During this first week, while [StockX’s] forensic investigation into the suspicious activity was underway, [StockX] took proactive and precautionary measures to protect our customers. As described in greater detail . . . below, [StockX] deployed a system-wide update, implemented a full password reset of all customer passwords for all StockX accounts, and on the morning of August 1, 2019 sent customers an email alerting them to the systems update and password reset.
As [StockX’s] investigation continued, forensic evidence revealed that an unknown third party had been able to gain unauthorized access to certain customer data from [StockX’s] cloud environment on or around May 14, 2019. [StockX] worked swiftly to issue an email update of the matter to [StockX’s] customers and are now making this notification to further apprise you of additional facts from our investigation.
As part of [StockX’s] efforts to catch the perpetrator, [StockX has] contacted law enforcement and [has] been working with them in their investigation of the incident. [The] investigation into the nature, extent, and scope of the incident remains ongoing, and [StockX] will update you with additional information as necessary.
What Information Was Involved?
From [StockX’s] investigation to date, the information affected may include your name, email address, address, username, hashed password, and purchase history.
As indicated in [StockX’s] prior communications, there is no evidence to date to suggest that any of your financial or payment information has been affected. That is because StockX does not store full payment card or financial data of its customers on its network servers or platform. Instead, any StockX payment card data is processed, stored, and hosted by a third-party payment processor, and not StockX. Based on [StockX’s] investigation to date, [StockX has] no evidence to suggest that [its] third-party payment processing partners or [its] third-party platform has been affected by this incident, nor [does StockX] have any evidence to suggest that any of the customer financial or payment information stored by that third-party has been affected. [Emphasis added.]
Customer Data of Millions Reportedly Exposed by the Data Hack
Techcrunch.com reported [“StockX was hacked, exposing millions of customers’ data”] the following:
It wasn’t “system updates” as it claimed. StockX was mopping up after a data breach, TechCrunch can confirm.
The fashion and sneaker trading platform pushed out a password reset email to its users . . . citing “system updates,” but left users confused and scrambling for answers. StockX told users that the email was legitimate and not a phishing email as some had suspected, but did not say what caused the alleged system update or why there was no prior warning.
A spokesperson eventually told TechCrunch that the company was “alerted to suspicious activity” on its site but declined to comment further.
But that wasn’t the whole truth.
An unnamed data breached seller contacted TechCrunch claiming more than 6.8 million records were stolen from the site in May by a hacker. The seller declined to say how they obtained the data.
In a dark web listing, the seller put the data for sale for $300. One person at the time of writing already bought the data.
The seller provided TechCrunch a sample of 1,000 records. [TechCrunch] contacted customers and provided them information only they would know from their stolen records, such as their real name and username combination and shoe size. Every person who responded confirmed their data as accurate.
The stolen data contained names, email addresses, scrambled password (believed to be hashed with the MD5 algorithm and salted), and other profile information — such as shoe size and trading currency. The data also included the user’s device type, such as Android or iPhone, and the software version. Several other internal flags were found in each record, such as whether or not the user was banned or if European users had accepted the company’s GDPR message. [Emphasis added.]
Have You Been Impacted by A Data Breach?
If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.
Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.
Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs. Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.
