A Philadelphia chain of sandwich shops is facing a class-action lawsuit over a data breach that went undetected for 7 months.
Earlier this month, PrimoHoagies revealed that cyber-attackers had broken into its online payment platform and accessed the payment card information of customers who made online purchases between July 15, 2019, and February 18, 2020. Customers who made purchase in-store were not impacted.
PrimoHoagies said it only discovered the breach "after receiving notice of unusual payment card activity from a few customers who ordered online."
According to a statement issued by PrimoHoagies Franchising, Inc. on April 17, "the affected payment card information may have included names, addresses, payment card numbers, expiration dates, and security codes."
The popular East Coast sandwich chain, which is based in Westville, franchises more than 85 eateries in eight states between Florida and New Jersey.
After discovering the prolonged breach, PrimoHoagies said it contacted "payment card brands so steps could be taken to prevent fraudulent activity on any affected cards," and advised customers to "carefully review and monitor their payment card account statements."
On April 23, Edward D. Hozza III brought a suit against the sandwich shop chain, which he accuses of failing to take adequate steps to protect customers against the theft of "highly sensitive and personal payment card information."
In the filing, Hozza, of Lehigh County, Pennsylvania, states that his credit card company had to issue him with a new card after his account was used for fraudulent purchases in September 2019.
According to the Cherry Hill Courier-Post, Hozza contends that the breach will cause victims "to undertake expensive and time-consuming efforts, including placing 'freezes' and 'alerts' with credit reporting agencies." He predicts that the number of PrimoHoagies customers affected by the cybersecurity breach is "likely in the millions."
The suit was filed in Camden Federal Court with Hozza represented by Anthony Christina of West Conshohocken, Pennsylvania. Hozza is seeking unspecified compensatory and punitive damages on behalf of all PrimoHoagies customers whose card payment data was exposed in the prolonged cybersecurity incident.
The plaintiff is further seeking for PrimoHoagies to offer at least three years of identity theft– and credit card–monitoring services to all online customers affected by the breach.