A Six-Figure Credit Breach at Five Guys

     SCHENECTADY, N.Y. (CN) - Five Guys burger joints failed to safeguard their data, giving hackers access to the accounts of debit-card-paying customers, a bank claims in court.
     Trustco Bank says the hackers racked up more than $89,800 in charges on the accounts of clients who visited Five Guys restaurants in Albany, Schenectady, Warren and Saratoga counties.
     The defendants in the complaint, filed in Schenectady County Supreme Court, are RSVT Glenmont LLC, RSVT Niskayuna LLC, RSVT Queensbury LLC and RSVT Saratoga Springs LLC. Each operates a Five Guys restaurant in the communities listed in their names.
     Five Guys Burgers & Fries, founded in the Washington, D.C., area in 1986 as a mom-and-pop take-out, began franchising in 2003 and now has more than 1,000 locations in the United States and Canada, according to its website. The eatery often is voted No. 1 for fresh burgers and fries by local foodies.
     Trustco, a $4.4 billion bank headquartered in suburban Glenville, says it learned in late 2011 of fraudulent transactions occurring on MasterCard debit cards it had issued, and began to look for common points of contact among the affected customers.
     "Over time, it became apparent that the customers of plaintiff affected by fraud had transactions at various Five Guys locations in common," the complaint states.
     MasterCard Inc., which had been looking into the transactions independently, confirmed that conclusion, Trustco says.
     The unauthorized transactions - Trustco counted 376 - occurred in November and December 2011, according to the complaint.
     In the cashless exchanges that make up much of commerce today, Trustco is known as an issuing bank that makes credit and debit cards available to customers under a framework established by companies like MasterCard. When a credit or debit card is used, a third party processes the transaction, alerting the credit card company, which informs the issuing bank, which then authorizes the payment to credit the merchant's account.
     Under this format, merchants are expected to operate according to so-called Payment Card Industry Data Security Standards, or PCI DSS, which require that they build a secure processing system that protects cardholder data.
     Trustco's complaint says Five Guys breached its duty to the bank by "allowing an unlawful intrusion into Five Guys' computer system sometime during 2011 and allowing the information to be accessed by third parties without authorization."
     "In this regard, Five Guys did not comply with payment card industry standards designed to protect debit card information from theft and/or preventing others from gaining access to such information," the complaint states.
     Trustco claims that the affected restaurants "never provided notification to ... customers of the security breach," as required by New York law.
     The complaint says Trustco suffered a loss of more than $89,800 when it had to reimburse the affected debit card holders for the unauthorized purchases.
     To avoid other fraudulent transactions and to protect customers, the bank canceled and replaced 1,701 MasterCard debit cards it had issued at a cost of $8.42 each, or more than $14,300, according to the complaint.
     The bank says each franchise should cover the card-replacement costs and other losses associated with the security breach.
     Trustco also wants the defendants to pay any damages it may face from their breach of any contracts as merchants in the MasterCard Credit Card Association.
     It is represented by Peter Pastore of McNamee, Lochner, Titus & Williams in Albany.