Madison Square Garden and a small number of other major entertainment venues owned by Madison Square Garden Co. recently announced that their payment systems were hacked for a year-long period. Credit card information of customers who visited the affected establishments may have been breached. According to Gizmodo.com, Madison Square Garden, Radio City Music Hall, Theater MSG, and Beacon Theater, in addition to Chicago Theater in Illinois, were all likely affected by the credit card breach. People who used credit cards to buy food, beverages, and merchandise between the period of November 9th 2015 through October 24th of 2016 could have been affected by the credit card breach.

The exact number of people affected by the MSG point-of-sale system hack is unknown, it is likely to be in the millions. The credit card breach was limited to payment systems within the affected establishments. It did not include online ticket sales or box office ticket sales.

The MSG Credit Card Hack

The hack was a program installed in the MSG payment processing system that granted unauthorized access to card data. The hack specifically searched for debit or credit card data as it was being routed through the payment system for authorization. The program was designed to steal credit-card numbers, expiration dates, cardholder names, and the all-important internal verification code associated with the magnetic strip on the credit card. This type of credit card data could be used to make replica cards or unauthorized online purchases.

After discovering the hack, Madison Square Garden took steps to put a stop to the payment system hack, and hired leading security firms to help address the problem. MSG, in conjunction with its security teams, has also taken steps to bulk up customer data security in response to the hack of its credit card reader system.

Chipped Credit Cards are Designed to Be Harder to Hack

All credit cards are now required to have a computer chip in them. These chips make it harder to hack the information associated with them. The new chipped cards will hopefully curb instances of credit card theft commonly carried out using credit card data skimmers, whether the skimmers are physical or digital in nature.

Point-of-Sale Breaches: Legal Framework and Business Liability

The MSG breach is one of the most prominent examples of a point-of-sale (POS) malware attack — a category of breach in which malicious code is installed directly on payment-processing hardware or software at the physical location where the transaction occurs. POS malware attacks have compromised payment systems at Target (2013), Home Depot (2014), Wendy’s (2016), and dozens of other retailers. Understanding how these attacks work and what legal obligations they trigger is essential for any business that accepts credit or debit card payments.

How POS Malware Attacks Work

POS malware is typically introduced through a compromised vendor credential, a phishing attack against a company employee with network access, or a vulnerability in remote access software used to manage payment terminals. Once installed, the malware operates as a memory scraper: it reads payment card data from the terminal’s memory at the moment the card is swiped or dipped, before encryption is applied. The scraped data — card numbers, expiration dates, cardholder names, and verification codes — is then transmitted to a server controlled by the attacker.

The year-long duration of the MSG breach is not unusual. POS malware is designed to operate silently. It does not lock systems, display ransom messages, or otherwise alert the victim. Detection requires active monitoring of network traffic and payment system logs, which many businesses either do not perform or do not perform with sufficient frequency to catch an intrusion quickly. The Trustwave Global Security Report has consistently found that the average time from POS malware installation to detection exceeds 180 days.

PCI-DSS Compliance Obligations

Any business that accepts, processes, stores, or transmits credit card data is subject to the Payment Card Industry Data Security Standard (PCI-DSS). PCI-DSS is not a statute — it is a set of technical and operational requirements established by the Payment Card Industry Security Standards Council. Compliance is contractually required by the agreements between merchants and their payment card processors.

PCI-DSS requires merchants to, among other things: maintain a secure network with firewalls protecting cardholder data, encrypt transmission of cardholder data across open public networks, use and regularly update anti-virus software, restrict access to cardholder data on a need-to-know basis, and regularly test security systems and processes. A merchant that suffers a POS malware breach while out of PCI-DSS compliance faces significant contractual exposure. Card brands can impose fines directly on the merchant’s acquiring bank, which will in turn pass those fines to the merchant. These fines can reach into six or seven figures for a large-scale breach.

State Data Breach Notification Laws

A POS malware attack at a major entertainment venue like MSG involves customers from dozens of states. Every U.S. state now has a data breach notification statute. The applicable laws are those of the states where affected customers reside, not necessarily the state where the breach occurred. A business that discovers a POS breach must analyze the geographic distribution of affected customers to identify every notification obligation that applies.

New York’s SHIELD Act, N.Y. Gen. Bus. Law § 899-aa, requires notification of affected New York residents in the most expedient time possible and without unreasonable delay. California’s data breach notification statute, Cal. Civ. Code § 1798.82, requires notification to affected California residents “in the most expedient time possible and without unreasonable delay.” Illinois’ Personal Information Protection Act, 815 ILCS § 530/10, imposes similar requirements. Many states now require notification to the state attorney general whenever a breach affects more than a threshold number of residents.

Civil Litigation Exposure

Affected consumers in a POS breach have potential civil claims against the breached merchant. Courts have allowed negligence claims, breach of implied contract claims, and consumer protection claims to proceed in major retail data breach cases. The central question in these cases is whether the merchant took reasonable steps to secure payment card data and, if not, whether that failure was the proximate cause of the consumer’s harm.

Class action litigation is the dominant vehicle in payment card breach cases. In the Target breach class action, the financial institution class — banks and credit unions that reissued cards and reimbursed fraudulent charges — reached a settlement of approximately $39 million. The consumer class settlement was an additional $10 million. Home Depot’s combined breach-related settlements and legal costs exceeded $190 million. These figures illustrate the scale of financial exposure a business faces following a large-scale POS breach.

What Affected Consumers Should Do

• Monitor card statements immediately. Review every transaction on any card used at an affected venue during the breach window. Report unauthorized charges to the card issuer as soon as possible.
• Request a card replacement. Even if no unauthorized charges have appeared yet, a card used at a compromised POS terminal during the breach period should be considered compromised. Request a new card with a new number.
• Place a fraud alert or credit freeze. If you believe your personal information was also exposed, place a fraud alert or security freeze on your credit reports at Equifax, Experian, and TransUnion under 15 U.S.C. § 1681c-1.
• Consult an attorney about your legal options. If you suffered financial harm from unauthorized charges connected to a merchant’s POS breach, you may have claims beyond your dispute rights with the card issuer.

Contact a Data Breach Attorney

Revision Legal represents businesses and individuals in data breach matters involving payment card systems. Whether you are a business working through PCI-DSS compliance after a breach or a consumer who suffered financial losses from a compromised payment terminal, contact the data breach attorneys at Revision Legal for a consultation.