U.S. Bank allegedly concealed data breach

A tiny mom- and daughter-owned company in Arizona is taking aim at U.S. Bank in a class-action lawsuit that alleges the bank failed to protect them and countless other online merchants from crooks who breached the bank's credit card database.

In a lawsuit filed last month in Hennepin County and removed to U.S. District Court in Minneapolis this week, the company Paintball Punks alleges that between August and December 2009, it received nine orders totaling $11,259.91 that were fraudulently billed to U.S. Bank-issued credit cards.

That's not a huge amount, but the potential client base from U.S. Bank's $16 billion credit card portfolio drew the attention of two major law firms that specialize in class-action cases. U.S. Bank said potential damages could exceed the $5 million threshold required under the Class Action Fairness Act of 2005.

The Arizona firm sells paintball supplies online. It claims that before it shipped out any merchandise, it took all the required steps to verify cardholders' identities, including checking the security codes on the backs of credit cards and cross-referencing the shipping addresses against the cardholders' billing addresses on file with the bank.

Even so, after the actual account holders disputed the charges, U.S. Bank tapped into Paintball Punks' bank account in what's known as a "chargeback" and recouped the money from the bogus transactions.

According to the lawsuit, Minneapolis-based U.S. Bank covered up a breach of its own security systems and shifted the cost of fraudulent charges onto merchants.

The bank's attorney, Peter Carter of Dorsey and Whitney, disputed the allegations. "It is our strong view that this case is wholly without merit and we're looking forward to establishing our defense before the court," Carter said, declining further comment.

Mitchell Gold said Tuesday that his daughter and ex-wife own E-Shops Corp., which does business as Paintball Punks. They operated for more than two years without any chargebacks at all, he said. But about a year ago, they ran into nine -- all on U.S. Bank credit cards -- in a period of just three months.

Losing the money from those sales nearly drove them out of business, Gold said. So although he has no financial interest in the firm, he said, he decided to investigate.

Gold said he had a hard time getting anyone at U.S. Bank to speak to him because the fraudulent charges were on consumer accounts, and the paintball company didn't have a merchant account with the bank. But he said he eventually got two U.S. Bank employees to talk to him, and they said the bank knew for some time that it had a data breach.

Gold declined to identify the two bank employees on advice of counsel, but said he has their names, titles and contact information.

The suit, which is seeking to be certified as a class action, says the bank failed to notify its customers but instead decided to handle fraudulent charges as they were discovered. The suit says the two U.S. Bank employees claimed that bogus charges could generally be spotted because they involved accounts with recent address changes, followed by flurries of orders on a variety of websites.

Paintball Punks, based in Lake Havasu City, Ariz., is represented by Green Welling of San Francisco and Zimmerman Reed of Minneapolis. It's unclear how many plaintiffs might qualify for the class, but it's a potentially huge number. U.S. Bank has 5.7 million active Visa and MasterCard credit card accounts, and 3.8 million Visa and MasterCard debit card accounts, according to a filing the bank made Monday in its motion to move the case to federal court.

Gold said that when his daughter investigated the chargebacks to her company's bank account, she got a list of the contested charges. One cardholder disputed 15 transactions in 13 days totaling $14,279.52, the suit says.

John McCullough, a financial crimes consultant who formerly ran the Minnesota Financial Crimes Task Force, was skeptical when told about the lawsuit Tuesday. He said he didn't think the bank had access to the security code on the back of the credit cards, so even if its systems were breached, it wouldn't explain how the thieves got that information, which is stored by the credit card companies.

These kinds of problems most often result from phishing scams, where thieves -- often part of organized crime rings -- target individuals and trick them into entering private financial data on realistic but bogus Web pages, McCullough said.

Dan Browning • 612-673-4493