A class-action lawsuit was filed against RBS WorldPay following a breach of the payment processor's computer system that led to a coordinated ATM scam.
Three law firms filed the lawsuit last week claiming that the Atlanta-based company failed to comply with industry security standards to protect customers' personal data. "RBS' data security environment failed to meet industry standards, including, but not limited to, ISO and PCI requirements," the lawsuit states.
The suit also contends the company failed to provide timely notice of the breach, and offered inadequate credit monitoring services to customers whose Social Security numbers were compromised. RBS discovered the breach on Nov. 10 but did not announce it until Dec. 23, according to the lawsuit.
RBS WorldPay, the U.S. payment processing arm of the Royal Bank of Scotland, reported that personal information of about 1.5 million pre-paid cardholders and other individuals was compromised when its computer system was hacked. The Social Security numbers of 1.1 million of those cardholders may also have been compromised, the company said.
The stolen data was used in a highly-coordinated ATM scam involving cloned payroll debit cards and reloadable gift cards, according to the FBI. The agency is investigating the attack, which occurred in several cities reportedly on Nov. 8. According to published reports, the criminals made off with $9 million.
The suit contends that RBS was intimately familiar with industry data security standards and should have known that its computer system for processing and storing the plaintiffs' personal and financial information was not secure.
Last month, a class-action lawsuit was filed against another payment processor, Heartland Payment Systems Inc., which disclosed in January that criminals broke into its processing system last year.
The lawsuit against RBS WorldPay was filed by Atlanta-based Doffermyer Shields Canfield & Knowles LLC, Sheller P.C. of Philadelphia and Finkelstein Thompson LLP of Washington, D.C. It seeks damages, credit monitoring services and/or identity theft insurance for the plaintiffs, and that RBS WorldPay be required to improve its computer security.