If 2014 was “the year of the data breach,” then 2015 is already carrying the torch. Just two days into 2015, Chick-fil-A announced an investigation they’re conducting into a potential data breach with payment cards used at their locations. Chick-fil-A was forthcoming with consumers and interested parties in a press release posted to their website on January 2, which also offered answers to FAQs, such as what customers should do if they think they’ve been impacted and how to check, but there are bigger questions left unanswered.
What do we know?
Popular security blog KrebsonSecurity.com offers a great deal more insight into the breach than Chick-fil-A can officially report pending investigation. Krebs alleges that sources contacted the blog to report possible compromised data as early as November. The reports were substantiated when a major credit card association alerted banks about a breach at “an unnamed retailer” between December 2013 and September 2014 – which is nearly twice as long as the Home Depot data breach. One of the affected retailers reported nearly 9,000 customer cards listed in the credit card association’s alert, and the only common factor was purchases at Chick-fil-A locations. The anonymous retailer also said that most of the fraud occurred at Chick-fil-A locations in Georgia, Maryland, Pennsylvania, Texas, and Virginia. Krebs speculates that this breach – like the Target, Home Depot, Jimmy John’s, and Dairy Queen breaches of last year – was likely caused by malware installed on their third-party point-of-sale system.
Who’s going to foot the bill?
In Chick-fil-A’s press release about the breach, they assure their customers that they will not be financially responsible for fraudulent charges because any charges would be “the responsibility of either Chick-fil-A or the bank that issued the card.” While this answer will certainly appease anxious customers, it doesn’t answer the question of who’s really footing the bill for charges incurred. After their infamous data breach that rang in 2014, in which over 40 million credit cards were compromised, Target also posted a press release assuring customers “either your bank or Target have that responsibility” to pay for fraudulent charges. But the cost of replacing cards compromised in the Target breach was reported at over $200 million, and that is not including compensation for fraudulent purchases.
Financial institutions balked at the idea that these costs were their responsibility and took their case to court, alleging that Target should be held responsible for allowing its payment systems to be compromised. Their argument scored a major victory in December 2014 when a federal judge rejected Target’s request to dismiss the banks’ lawsuits. The legal struggles between Target and affected banks will likely continue to make headlines throughout 2015 and will undoubtedly set significant precedents for assigning responsibility in cases like Chick-fil-A’s.