July 27, 2021

Hack Damages: From Beginning to End

By Jesse LaGrossa, Senior Manager, Business Valuation, Forensic & Litigation Services & Ricardo Zayas, CPA, CFE, CVA, CFF, Partner, Advisory Services

Hack Damages: From Beginning to End Valuation, Forensic & Litigation Services

Ever ponder what happens when credit card data is stolen? I am not referring to the theft of your credit card from a wallet or handbag. I am referring to a situation in which your credit card information (i.e., personal identifiable information, or “PII”) is stolen as part of a business cyber hack.

From a professional perspective, I wanted to better understand the process of assessing financial damages and potential recoveries for victims. A hack in December 2019 provided an ideal scenario for me to delve into these issues.

The Wawa Hack

In the pre-COVID days of December 2019, residents of the Philadelphia region (and elsewhere along the East Coast) heard reports that our beloved Wawa had been the victim of a long-running computer hack. For the unfamiliar, Wawa is the operator of more than 850 convenience stores along the East Coast, stretching south from Pennsylvania and New Jersey to Florida. While computer network intrusions (i.e., hacks) have been with us for years, this one hit closer to home, as I suspect that everyone in the Philadelphia area has, at some point, made a purchase at a Wawa store.

As was standard practice, Wawa acknowledged the hack in a December 19, 2019, press release:

Wawa’s information security team discovered malware on Wawa payment processing servers on December 10, 2019, and contained it by December 12, 2019. After discovering this malware, Wawa immediately engaged a leading external forensics firm and notified law enforcement. Based on Wawa’s forensic investigation, Wawa now understands that this malware began running at different points in time after March 4, 2019. Wawa took immediate steps after discovering this malware and believes it no longer poses a risk to customers.

Wawa also disclosed types of data that may have been compromised as well as data elements its investigation had determined were not compromised. Wawa directed customers to its website for information on credit monitoring services and guidance on protecting personal information.

Admittedly, I was not surprised by reports of the Wawa computer hack. By December 2019, reports of data breaches and related potential compromises to personal credit and financial data had become “de rigueur.” Similarly, reports of multiple class action suits filed against Wawa upon announcement of the hack were also expected.

My professional interest was piqued by reports of claims of financial harm appearing in local news outlets within days of Wawa’s announcement. One such report appearing in the December 27, 2019, edition of the Philadelphia Inquirer described the story of one plaintiff who “… went to Wawa on a ‘near-daily basis’ during the data breach. She said someone fraudulently tried to spend $2,535.15 on her Capital One credit card on Tuesday, and as a result the credit card company locked her accounts the day before Christmas.” According to the civil complaint filed against Wawa, this plaintiff alleged she contacted Capital One and learned her credit card had been compromised in the Wawa data breach.

This plaintiff’s attorney described consequences to persons such as his client, stating, “People like our client had their cards frozen right around the holiday period and it just added insult to injury. Until she gets a new card, she doesn’t have access to credit. And that has caused a real-world personal harm for our clients.”

From my read, Plaintiff’s counsel was asserting:

  • Fraudulent charges appeared on the client’s credit card;
  • His client shopped at Wawa;
  • Wawa was “hacked”;
  • Therefore, the “hackers” obtained client’s information from Wawa.

Proving and Measuring a Loss

I questioned what credible evidence counsel possessed to support his or her assertion that the fraudulent charges on his client’s credit card were attributable to the Wawa breach versus some other breach? Was counsel asserting the plaintiff’s card was only used at Wawa? This was obviously not the case as the plaintiff stated she intended to use the card to make purchases at other locations.

I also questioned the measurable financial damages arising from this situation. In my own personal experience with fraudulent credit card charges, the credit card company removed the charges from my account and took actions it deemed appropriate to recover the loss. I expended time on the telephone to report the incident and completion of a claim form that I signed and returned to the credit card company. Was my expenditure of time compensable?

In my professional experience, plaintiffs must establish a correlation between the claimed adverse occurrence (i.e., the Wawa hack) and the loss (i.e., the fraudulent charges and “… the real-world personal harm”). This is generally referred to as “causation” or “proximate cause” and means the plaintiff (i.e., the aggrieved or damaged party) must show the alleged harm was attributable to the actions of the defendant (Wawa).

Having presumably established a loss attributable to some specific causal event (i.e., the Wawa hack), the plaintiff / damaged party must be able to present a reasonable measure of the amount of the loss. What constitutes a reasonable measure continues to be the subject of many court challenges. That said, before delving further into financial damage issues such as causation and measurement, I wanted to better understand what happens in a “hack.”

The Market Value of Stolen Credit Card Data (PII)

A few clicks of the mouse and I learned there is a difference between a “hack” and a “data breach.” According to Eitan Katz, a “data breach” is an unintentional occurrence in which sensitive or confidential data “… is left vulnerable in an unsecured environment …” and “… is viewed by someone who shouldn’t have access to that data.” Conversely, “A hack is an intentional attack perpetrated by a malicious actor who gains unauthorized access to a protected system (e.g., computer, server) in order to steal private information or hold the system ransom.”1

Focusing on “hacks” perpetrated to gain access to credit card data or other personal financial assets, I gleaned there was a “dark web” marketplace where personal credit card data was:

  • Advertised for sale;
  • Sold to a buyer / user of illicitly secured credit card data; and
  • Used to make fraudulent purchases or for some other financial benefit.

I was intrigued by considerations when assigning a market value / sales price to the data. Not all customer data is considered equally valuable for purposes of sale. Common market factors such as supply, demand and perceived quality factor into the pricing of stolen credit card data. An August 2020 posting by Anisha Sekar in Nerdwallet2 reported:

A stolen credit card number isn’t worth much on its own. The credit bureau Experian reported in 2017 that a credit card number could fetch maybe $5 if it came with the CVV number (the security code printed on the card). And tech website GigaOm has reported that a batch of a thousand numbers might sell for just $6.

The December 6, 2017, Experian report cited by Sekar listed a range of $5 to $110 for credit card data depending on the completeness of the data. Examples listed in the Experian report included:

  • A credit or debit card with CVV number – $5;
  • A credit or debit card with bank info – $15; and
  • A credit or debit card with “Fullz” info – $30.

“Fullz info” was described as “… a bundle of information that includes a “full” package for fraudsters: name, SSN, birth date, account numbers and other data that make them desirable since they can often do a lot of immediate damage.”3

Information relating to the market value of the stolen PII was presented in the complaint filed against Wawa, which alleged stolen card information is “… a valuable commodity to identity thieves.” The Wawa complaint stated, “The purpose of stealing large caches of Card Information is to use it to defraud consumers or to place it for illegal sale and to profit from other criminals who buy the data and use it to commit payment card fraud. Indeed, cyber criminals routinely post stolen payment card information on anonymous websites, making the information widely available to a criminal underworld. There is an active and robust market for this information.” According to the complaint, “… payment cards compromised in the data breach were reportedly available for sale for $17 per card on the dark web …”

I learned cards and card data were routinely bundled; 1,000 stolen cards would be sold wholesale (i.e., at a discounted price). Other sellers seemed to offer flexible pricing depending on the buyer’s success in using the data to effectuate fraudulent transactions. This market for stolen credit card data operated much like any other market, using the principles of supply and demand we learned in introductory economics.

Claimed Damages

The following information was excerpted from the “Damages to Class Members” section of the Wawa complaint.4 As presented in Section F, Paragraphs 204, et seq., the class members had been damaged in multiple ways, including:

  • Exposure of their card information by way of the Wawa data breach and offered for sale on the “dark web.”
  • Experiencing fraudulent credit and debit card transactions and the risk of payment card fraud going forward.
  • Incurring out-of-pocket costs for protective measures for replacement cards, overdraft fees, late payment fees, and similar costs related to the data breach.
  • Suffering a “loss of value” of their credit and debit card information when it was stolen by the hacker(s) in the data breach.5
  • Suffering “benefit of the bargain” damages in that they overpaid for goods that should have been–but were not–accompanied by adequate data security.
  • Spending time to monitor their payment card accounts for fraud, disputing fraudulent transactions, and reviewing their financial affairs more closely than they otherwise would have but for the data breach.
  • The inability to use their credit or debit cards when their accounts were suspended or otherwise rendered unusable due to the fraudulent charges, and spending time to obtain replacement cards.
  • Forfeiture of rewards points or airline miles they earned on payment cards that were cancelled.

Causation / Identifying Losses

Years ago, counsel might ask the damages expert to assume the losses sustained by the plaintiff were attributable to the Wawa hack. In today’s environment, accepting the assumption without assessing the reasonableness of the assumption could cause a challenge to the expert’s findings and a motion to exclude the expert from testifying at any proceedings.

On this point, the Business Valuation Law News posted a paper entitled “Don’t assume causation, AICPA panel warns damages experts” in December 2017. This article discusses “… two types of causation requirements. The higher standard requires a showing that, ’but for’ the defendant’s conduct, the harm would not have occurred. A less rigid standard requires a showing that the alleged misconduct was at least a ‘substantial factor’ in causing the harm.”6 Establishing this correlation would likely require showing through sufficient objective evidence that other likely causes of the claimed loss have been considered and eliminated.

Assuming the “causal” connection is established, the plaintiffs will need to establish that the claimed damages are subject to being measured with reasonable certainty.

Cases Addressing “Hack” Damages

Not surprisingly, damage claims presented in the Wawa complaint were similar to claims presented in other legal matters and addressed by courts. For example, a 2019 Memorandum Opinion in a matter captioned Attias, et al. v. Carefirst, Inc., et al. (USDC for the District of Columbia, Case No. 15-cv-00882 (CRC)) addressed damage claims arising from a May 2015 data breach at CareFirst7 that compromised the personal information of millions of its policyholders.

The Court noted:

  • The plaintiffs’ damage claims did not, “… for the most part, involve actual misuse of their personal information. Plaintiffs instead claim that the data breach resulted in an increased risk of identity theft and the need for prophylactic expenditures – on credit monitoring services and the like – to reduce that risk; and
  • “… while plaintiffs’ alleged injuries may be enough to establish standing at the pleading stage of the case, they are largely insufficient to satisfy the “actual damages” element of nine of their state-law causes of action.” The opinion also acknowledged “… the difficulty of applying traditional tort and contract principles in the contemporary context of data security.”

The Attias v. CareFirst Memorandum Opinion was replete with references to and citations regarding damage issues noting:

  • “… actual loss or damage is an essential element for a breach of contract cause of action …” and that “… the fact of damage and a reasonable estimate must be established.”
  • “… [t]o maintain an action for negligence, a plaintiff must allege more than speculative harm from defendant’s allegedly negligent conduct.”
  • “[T]he mere breach of a professional duty, causing only nominal damages, speculative harm, or the threat of future harm—not yet realized—does not suffice to create a cause of action for negligence.”

Another “hack” that provides insight into the manner in which Courts and litigants have addressed damage issues is the December 2013 hack of the Target customer data. That matter, captioned Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK), was settled in March 2015.

The Target settlement provided, in part, that Target would pay $10 million into a settlement fund from which payments would be made to eligible “settlement class members” and “settlement class representatives.” The settlement fund would be used to reimburse settlement class members whose personal or financial information was compromised “… for losses caused by the data breach of up to $10,000.”

Losses to be reimbursed included:

  • Unauthorized, unreimbursed charges on the credit or debit card;
  • Time spent addressing unauthorized charges on the credit or debit card;
  • Costs to hire someone to help correct the credit report;
  • Higher interest rate on an account or higher interest fees paid by the cardholder; loss of access or restricted access to funds;
  • Fees paid on accounts (such as late fees, declined payment fees, overdrafts, returned checks, customer service, or card cancellation or replacement);
  • Credit-related costs (such as buying credit reports, credit monitoring or identity theft protection, or costs to place a freeze or alert on the cardholder’s credit report);
  • Costs to replace a driver’s license, state identification card, social security number, or phone number; or
  • Other costs or unreimbursed expenses as a result of the Target data breach.

The Target settlement included a formal claims process which provided, in part, that class members could seek reimbursement for “substantiated losses,” which were defined as “losses caused by the Intrusion for which the Settlement Class Member submits reasonable documentation that the claimed losses were actually incurred and more likely than not arose from the Intrusion.”8

As provisions of the Target settlement indicate, damage concepts and issues raised in the Attias v. CareFirst matter were incorporated into the settlement as speculative damages; claims that could be not satisfactorily linked to the “intrusion” and damage claims that were not subject to reasonable estimation were excluded.

Resolving the Wawa Hack

In February 2021, the Wawa hack litigation was settled. According to documents filed with the Eastern District of Pennsylvania Court, the settlement agreement provided, in part, for up to $9 million in Wawa gift cards and cash to “consumer track” class members meeting the following criteria:

  • Tier 1 – Customers using “payment cards” who did not experience a fraudulent transaction would receive a $5 gift card.
  • Tier 2 – Customers using “payment cards” who “experienced an actual or attempted fraudulent transaction would receive $15 gift cards.
  • Tier 3 – Customers with “actual out-of-pocket monetary damages” in connection with “an actual or attempted fraudulent transaction reasonably attributable to the “Data Security Incident” could receive up to $500 per claimant. The total Tier 3 claims are capped at a combined $1 million (i.e., 2,000 claimants at $500 per claim).

The agreement also required Wawa to implement measures to strengthen its data security environment and pay up to $3.2 million in legal and claims administration fees.

Wawa, Inc. Data Breach Class-Action Settlement
Estimated Class Members 22 million
Estimated Cost of Data Security Improvements $35 million
Settlement Damages Awarded to Class Members $9 million
Other Damages (Attorneys’ Fees, Settlement Administration) $3.2 Million
Total Estimated Damages $47.2 million

As with the Target settlement, the Wawa settlement included a claims process. The type of supporting documentation to be submitted varied with the tier, with Tier 3 being the most demanding. Tier 3 claimants seeking recovery of “actual out-of-pocket” damages were required to submit “reasonable proof,” a phrase defined in the agreement to include bank or credit card statements and/or other “documentary proof that establishes the existence, date and amount of ‘actual out-of-pocket monetary damages reasonably attributable to Data Security Incident.’”

Closing Comments

As the resolutions of the Attias, Target and Wawa data breaches show, the long-standing damage concepts of causation, actual damages v. speculative damages and reasonable estimation are not abandoned in the context of these actions to recover claimed losses arising from a “hack” of PII. Plaintiffs / claimants seeking actual damages must participate in a formal claims process wherein specific evidence of the claimed loss is presented for inspection. Even then, the amount that can be recovered is limited. Absent specific evidence and participation in a formal claims process, many claimants will be limited to receiving credit monitoring services or a “gift” card of nominal value.

Sources

  1. What Is a Hack vs. What Is a Data Breach: Cybersecurity 101; April 12, 2018; By Eitan Katz
  2. Anisha Sekar August 18, 2020.
  3. Experian, December 6, 2017 “Here’s How Much Your Personal Information is Selling for on the Dark Web” by Brian Stack.
  4. “IN RE: WAWA, INC. DATA SECURITY LITIGATION”, U.S. District Court for the Eastern District of Pennsylvania, Case No. 19-6019-GEKP, Section F. “Damages to Class Members”, paragraphs 204, et seq.,
  5. This loss claim gave me pause. Other than the “dark web” / illegal market described earlier, I did not understand where a different market for the credit card data existed or how the victim would monetize / measure the claimed loss in value.
  6. Business Valuation Law News Written by: Sylvia Golden Categories: economic damages & lost profits Tags: business tort but for causation economic damages & lost profits expert testimony Horizon Health
  7. CareFirst is a health insurance provider.
  8. Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK); Settlement Agreement, Exhibit 1.