Was Chipolte’s Breach Due To Willful Negligence and Elementary Security?
Chipolte seems to be challenged to catch a break. After the E.coli outbreak in 2015 and shareholder lawsuits, Chipolte tried to make a comeback. Last month the announced that they had been hacked and credit cards compromised. Chipolte hasn’t said which restaurants were affected or how many cards were compromised, but they have announced the time range of the breach – March24, 2017 to April 18, 2017.
Chipolte’s advice to customers: Watch your credit card statements and if you see something wrong, contact your bank – you are generally not responsible for fraudulent charges.
While true, it doesn’t sound like Chipolte is taking much responsibility for the breach and that is the basis for the proposed class action. The suit was filed on May 4th and has not been class certified yet.
The members of the proposed class action are 100 plus banks and credit unions who say their damages exceed $5 million.
The suit estimates that hundreds of thousands of Chipolte customers could have had their credit cards hacked.
The big issue in the suit is the fact that Chipolte apparently intentionally chose not to upgrade its credit card system to use the chip cards. Chip reader enabled credit card terminals encrypt the credit card information the moment it is entered into the terminal and not decrypted until it reaches the credit card processor. This makes things much harder – although not impossible – for the crooks to hack in and obtain useful credit card information.
And why, you ask, hasn’t Chipolte upgraded its credit card system to use the new chip readers? Because they are slower and that would slow down the line. This is basically the same excuse Wendys gave for not upgrading. It’s expensive to upgrade and slows things down.
But there is a twist to this. Since October 2015, merchants who don’t upgrade to chip readers are (basically, there are some nuances to this) 100% liable for all costs of a breach based on language in their credit card merchant agreement.
What hasn’t happened yet is the credit card industry enforcing this on a large scale, but it is likely to happen at some point. If a company like Chipolte gets hit with a mega fine, that will likely get people’s attention.
There is a long way to go on this. The first hearing is July 18 in Denver. The banks are saying that not installing chip readers is negligence. We shall see of the court agrees.
Information for this post came from Denver’s Channel 7.