The Burgerville data breach may have been ongoing for nearly a year, a new statement from the chain reveals. And at least one Portland customer has already filed a class action lawsuit to ensure compensation for any losses incurred.
The suit, filed by local attorney Michael Fuller on behalf of complainant Cassandra Nelson, alleges: "Burgerville knew that its failure to protect [the] plaintiff's card information from unauthorized access would cause serious risks of credit harm and identity theft for years to come."
It continues: "In an attempt to increase profits, Burgerville negligently failed to maintain adequate technological safeguards to protect plaintiff's information from unauthorized access by hackers."
Fuller says Nelson used a debit card at Burgerville multiple times last year, and contacted him to discuss litigation options.
According to Chris Crabb, a Burgerville spokesperson, the reason for the chain's silence was that its work with the FBI was deemed confidential.
Crabb says the company learned on Aug. 22, 2018 about a data breach that had occurred a year prior, in Sept., 2017. Crabb says the company then-believed the cyberattack to have been a "brief intrusion that no longer existed," and worked with the FBI to launch a forensic investigation.
On Sept. 19, 2018, Crabb says, the FBI determined that the breach was still active. Crabb says, the company then "immediately began steps to remediate the breach"—including completing a remediation plan on Sept. 30.
During the investigation, and after the initial breach last year, Burgerville did not issue a warning to customers.
Crabb says that's because, "The operation had to be kept confidential until it was completed in order to prevent the hackers from creating additional covert pathways into the company's network."
Fuller doesn't buy it.
"That's what they all say," he tells WW.
He says the chain may have violated a 2007 Oregon law, ORS 646A.600, which states that notifications of security breaches must "made in the most expeditious time possible and without unreasonable delay," unless "a law enforcement agency determines that the notification will impede a criminal investigation." (The latter is what Crabb says happened at Burgerville.)
Still, Fuller notes, even if Burgerville had notified customers immediately, there would still have likely been collateral damage.
He says that the best-case scenario now for victims of the breach is that Burgerville will be able to use its company insurance to make compensation offers on credit repair and costs associated with credit monitoring.
Burgerville could not be immediately reached for comment on the lawsuit.