MasterCard data breach: Lawsuit demands damages

A class action lawsuit filed after millions of credit card accounts were compromised by a data breach at payment processor CardSystems Solutions now also demands unspecified monetary damages for consumers and merchants.

The amended complaint was filed on behalf of California credit card holders and card-accepting merchants on Wednesday in California Superior Court in San Francisco.

The suit, originally filed on 27 June, names as defendants CardSystems, MasterCard, Visa and Merrick Bank, a card-issuing bank that used CardSystems to process transactions. None of the defendants could be reached for comment late on Wednesday.

The suit accuses the companies of violating California law by neglecting to secure credit card systems and by failing to inform consumers in a timely manner about a security breach at CardSystems, which was disclosed publicly on 17 June by MasterCard.

The suit asks for consumers whose information was exposed to be informed and granted access to a credit-monitoring service. Additionally, Ira Rothken, the lawyer who filed the suit, has said that credit card companies should waive any charge-back fees or penalties to merchants in the case of fraudulent transactions that involve any of the credit cards involved in the security breach.

Intruders got access to details on about 40 million credit cards. Records covering about 200,000 cards are thought to have been transferred out of CardSystems' network. Credit card companies have said they would not notify customers unless the accounts are actually abused.

The updated complaint also charges that MasterCard, Visa and Merrick Bank knew or should have known that CardSystems failed security audits and did not comply with credit card industry security standards, said Rothken, who's based in San Rafael, California. Yet they continued to allow the company to process transactions, he said.

"In light of the notion that CardSystems failed multiple security audits, this is much more serious than we originally thought," Rothken said in an interview on Wednesday. "We're asking for damages against all the defendants proportionate to their wrongful conduct."

The amended suit also adds Andrew Schultz as a plaintiff. Schultz, a resident of Marin County, California, had his Visa debit card data compromised in the CardSystems breach, Rothken said.

The suit was originally filed on behalf of Eric Parke, a holder of several MasterCard and Visa credit cards, and Royal Sleep Clearance Center, a business that accepts the cards. The three plaintiffs seek to represent classes of consumers and merchants.

Retailers may have more to lose than consumers by the lack of notification. If a criminal makes an unauthorised purchase on an individual's card, the cardholder is typically protected. But in many cases, businesses have to cover the loss.

And if consumers aren't alerted, that means the compromised cards could still be active and may be used by criminals.

More defendants could be added as the case proceeds. The suit lists 200 unnamed defendants for that purpose.

Joris Evers writes for CNET News.com