Cyber Incident Victim: PrimoHoagies
Date:
Jul 2019
Location:
United States of America
Summary
A sandwich shop chain faced a class-action lawsuit following a cybersecurity breach impacting online customers' payment card information, including names, addresses, card numbers, expiration dates, and security codes. The incident persisted undetected for several months before discovery through reports of fraudulent transactions, prompting notification to payment card networks and customer advisories to monitor accounts. The lawsuit alleged inadequate data protection measures, citing victims' financial fraud risks and burdens like credit monitoring or freezes, while seeking compensatory damages and identity theft protection services for affected individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
PrimoHoagies, a Philadelphia-based sandwich chain with over 85 franchises across eight East Coast states, experienced a cybersecurity breach affecting its online payment platform from July 15, 2019, to February 18, 2020. The breach remained undetected for seven months until the company received customer reports of unusual payment card activity. Attackers accessed payment card information of online purchasers, including names, addresses, card numbers, expiration dates, and security codes. In-store transactions were not compromised. Upon discovery, PrimoHoagies Franchising, Inc. notified payment card brands on April 17, 2020, to implement fraud prevention measures and advised affected customers to monitor their account statements. The company did not disclose the total number of impacted individuals but confirmed the breach exclusively targeted online orders through its payment platform.
On April 23, 2020, Edward D. Hozza III filed a class-action lawsuit against PrimoHoagies in Camden Federal Court, alleging inadequate security measures led to the theft of sensitive payment data. Hozza, a Pennsylvania resident, cited fraudulent purchases on his card in September 2019, necessitating card replacement. The suit claimed victims would incur expenses for credit monitoring, fraud alerts, and freezes, estimating impacted customers numbered "likely in the millions." Represented by attorney Anthony Christina, Hozza sought unspecified compensatory and punitive damages for all affected customers and demanded PrimoHoagies provide at least three years of identity theft and credit monitoring services. The legal action emphasized prolonged exposure risks due to the breach's extended duration and criticized delayed breach detection and disclosure timelines.