Sophia Mekkers’ two kids like Burgerville. A lot.
So much so, the Newberg, Ore., mom took them there to eat 21 times in the past year. And it caught Mekkers’ attention this month when the fast-food chain disclosed it had been subject to a massive hack and that cyberthieves may have made off with thousands of customers’ credit and debit card information.
Her concern turned to alarm a couple of weeks later when she checked her bank statement and found thousands of dollars in unauthorized charges. There were hundreds of dollars in purchases at Home Depot and Lowe’s — and $5,000 in designer boots from the premium footwear company Donald Pliner.
“When I saw this it was shocking, but at the same time I’m like, ‘Oh my God, I’m one of the Burgerville people,’ ” Mekkers said. It permanently dented her trust in a favorite restaurant.
“I’m very disappointed they didn’t protect the data of their customers better,” said Mekkers, who immediately joined a class-action complaint against the company. “My kids really enjoy Burgerville, and I shouldn’t have to worry about my data getting compromised.”
Burgerville disclosed the breach Oct. 3 but has given no estimate of how many customers’ credit and debit card numbers were compromised. The company said it could potentially affect anyone who paid for their meal with a bank card between September 2017 and September 2018.
Though that represents an enormous security breach, it doesn’t necessarily mean a huge volume of theft from Burgerville customers’ bank and credit card accounts.
No need to panic
Oregon banks and credit unions say they have seen very little fraud so far. And security experts say that, while customers should be vigilant about their finances, there’s no need to panic.
“Most people who have had their credit card taken won’t ever experience a loss,” said Pat Cox, a veteran Oregon technologist, now chief executive of TrustID, which provides identity authentication services to combat financial and consumer fraud.
Credit and debit card numbers alone won’t enable cyberthieves to make online purchases, according to Cox. The thieves need to come up with matching data — names, addresses or other personal data merchants require to process a credit card online.
“They’ve got to have enough information about you to be credible,” Cox said. That takes time and effort and explains why even massive breaches, like those at Target (in 2013) and Home Depot (in 2014), didn’t produce an overwhelming deluge of fraud.
OnPoint Community Credit Union has notified some customers — including Mekkers — that their debit cards may have been compromised in the Burgerville hack and is sending them replacement cards. But the Portland financial institution says it hasn’t seen any more fraud than in prior incidents.
“There have been few reports of fraudulent activity to date, but we are taking a very proactive approach,” the Portland credit union said in a written statement.
Portland-based Umpqua Bank likewise says it has not seen an “unusual recent uptick in fraud” following the Burgerville breach. The bank said it has a card detection system that looks for suspicious transactions and shuts them down but recommends everyone have a backup card in case one card becomes compromised.
Umpqua said federal consumer protections give customers at least 60 days to report suspicious activity and that either the merchant or the bank will reimburse the account for fraud discovered during that time period.
Burgerville says it was among dozens of companies victimized by a ring of cybercriminals in Eastern Europe. The gang, known as “FIN7,” attacked restaurant, gaming and hospitality businesses, according to federal authorities. Those hacked include Chipotle Mexican Grill, Chili’s, Arby’s and Red Robin.
Federal prosecutors have indicted three Ukrainians in connection with the attack but stolen bank card numbers could have been sold online already and may be floating around the internet.
Burgerville said this week it has signed up with a service called AllClear Identity Repair to assist customers who have had problems with their debit or credit cards that they believe may be related to the hack. Additionally, Burgerville says customers can enroll for free in an AllClear monitoring service that provides a $1 million identity theft insurance policy.
The company also recommends customers monitor their credit and debit card activity, set up account alerts for all the cards they used at Burgerville, obtain a credit report and consider freezing their credit.
It exasperates Mekkers that the onus is on customers to clean up after a breach like Burgerville. She said she and her family will probably still eat there, but will probably pay cash from now on.
“All businesses, especially those that accept debit and credit, they need to step it up,” Mekkers said.
