MEMORANDUM OPINION
Defendants MAPCO Express, Inc. and Delek U.S. Holdings, Inc. have asked the Court to dismiss plaintiff Brian Burton’s amended complaint. (Docs. 20, 21). Mr. Burton has been attempting to frame claims against MAPCO and Delek relating to data breaches that MAPCO suffered over the course of 11 days between March 19, 2013 and April 21, 2013. MAPCO acknowledges that on those 11 days, third-party hackers breached MAPCO’s computer systems and accessed account information concerning MAPCO customers. (Doc. 22, p. 1; Doc. 27, p. 3).
Under the pleading standard that the United States Supreme Court enunciated in Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009), it is difficult for consumers like Mr. Burton to assert a viable cause of action stemming from a data breach because in the early stages of an action, it is challenging for a consumer to plead facts that connect the dots between the data breach and an actual injury so as to establish Article III standing. Mr. Burton’s amended complaint comes closer to the mark than his original complaint, at least with respect to his negligence claim, but the allegations in the amended complaint still fall short. Because litigation relating to computer data breaches is a relatively new phenomenon, and the law in this area is developing fairly quickly, the Court will give Mr. Burton one final chance to amend his complaint to allege plausible facts that will enable him to establish standing to assert his negligence claim against the defendants.
If Mr. Burton cannot establish standing, then the Court will lack subject matter jurisdiction over his negligence claim, and *1281the Court will dismiss that claim pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure. The Court dismisses the balance of Mr. Burton’s federal and state law claims pursuant to Rule 12(b)(6) because the facts that Mr. Burton has alleged do not state a claim upon which relief may be granted.1
FACTUAL BACKGROUND
On behalf of a proposed nationwide class, Mr. Burton asserts claims against the defendants concerning credit card and debit card data stolen from MAPCO’s computer network in the spring of 2013. (Doc. 20, ¶ 8, 14). Mr. Burton alleges that during the days on which the data breaches occurred, he used a debit card to make purchases at one of Mapco’s convenience stores, and a third-party then used his debit card account for unauthorized purchases from gas stations in Florida. The unauthorized charges total just under $300.00.2 (Doc. 20, ¶¶ 4,11).
Based on this set of facts, Mr. Burton asserts claims for intentional violation of the Fair Credit Reporting Act (Count I); negligent violation of the Fair Credit Reporting Act (Count II); invasion of privacy by public disclosure of private facts (Count III); and negligence (Count IV). According to Mr. Burton, putative members of the proposed nationwide class similarly suffered damages because “their personal information or what is known as their personal customer account information [was] compromised, ... their privacy rights [were] violated ... [they were] exposed to and [are] suffering the risk of fraud and identity theft and the threat of fraud and identity theft, ... [they were] the victims of fraud, and ... [they] otherwise suffered damages.” (Doc. 20, ¶ 1).
MAPCO moved to dismiss Mr. Burton’s original complaint for lack of standing and for failure to state claim. (Doc. 4). MAP-CO and Delek challenge Mr. Burton’s amended complaint on the same grounds. (Doc. 22).2 Mr. Burton has asked the *1282Court to stay these proceedings “pending the Court’s resolution of Winsouth Credit Union’s motion to transfer this action to the U.S. District Court for the Middle District of Tennessee” pursuant to 28 U.S.C. § 1407. (Doc. 37). Winsouth seeks MDL treatment for purposes of discovery in the various consumer and financial institution class actions pending against MAP-CO. To secure the just and efficient disposition of these proceedings, the Court resolves the defendants’ current motion to dismiss. See Fed.R.Civ.P. 1.
LEGAL ANALYSIS
A. Negligence
1. Jurisdiction
As the party invoking federal jurisdiction, Mr. Burton bears the burden of establishing the Court’s jurisdiction over his claims. McCormick v. Aderholt, 293 F.3d 1254, 1257 (11th Cir.2002) (“[Tjhe party invoking the court’s jurisdiction bears the burden of proving, by a preponderance of the evidence, facts supporting the existence of federal jurisdiction) (internal citation omitted”). “Article III of the United States Constitution limits the jurisdiction of federal courts to cases and controversies. ‘[Tjhere are three strands of justiciability doctrine — standing, ripeness, and mootness — that go to the heart of the Article III case or controversy requirement.’ Christian Coal. of Fla., Inc. v. United States, 662 F.3d 1182, 1189 (11th Cir.2011).” Zinni v. ER Solutions, Inc., 692 F.3d 1162, 1166 (11th Cir.2012) (one internal citation omitted).
To meet the requirements of Article III standing, a plaintiff must establish that he has suffered an injury in fact, that the injury was causally connected to the defendant’s actions, and that a judgment in the plaintiffs favor will redress the injury. Koziara v. City of Casselberry, 392 F.3d 1302, 1304 (11th Cir.2004) (citing Lujan v. Defenders of Wildlife, 504 U.S. 555, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992)); see also Resnick v. AvMed, Inc., 693 F.3d 1317, 1323 (11th Cir.2012). The ripeness doctrine also requires an examination of the nature of the injury that the plaintiff alleges. “ ‘Courts must resolve whether there is sufficient injury to meet Article Ill’s requirement of a case or controversy and, if so, whether the claim is sufficiently mature, and the issues sufficiently defined and concrete, to permit effective decision-making by the court.’ ” Yacht Club on the Intracoastal Condominium Ass’n, Inc. v. Lexington Ins. Co., 509 Fed.Appx. 919, 922 (11th Cir.2013) (quoting Digital Properties, Inc. v. City of Plantation, 121 F.3d 586, 589 (11th Cir.1997)).
“This case presents thorny standing issues regarding when, exactly, the loss or theft of something as abstract as data becomes a concrete injury. That is, when is a consumer actually harmed by a data breach — the moment data is lost or stolen, or only after the data has been accessed or used by a third party?” In re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, 45 F.Supp.3d 14, 19, 2014 WL 1858458, *1 (D.D.C.2014). The SAIC court found that “the mere loss of data — without evidence that it has been either viewed or misused — does not constitute an injury sufficient to confer standing.” Id. The SAIC court permitted only the two plaintiffs who “plausibly assert[ed] that their data was accessed or abused” to “move forward with their claims.” Id.
*1283Another court has required more than a plausible assertion that the plaintiffs account data was accessed or abused. In In re Barnes & Noble Pin Pad Litigation, 2013 WL 4759588 (N.D.Ill.2013), the district court held that to plead an injury adequately in a data theft case, a plaintiff must assert not only that an unauthorized party had access to or abused his data but also that he (the plaintiff) suffered an actual economic loss as a consequence. In Barnes & Noble, the district court dismissed the plaintiffs’ claims for lack of standing because:
[o]nly [one plaintiff,] Winsteadf,] suffered from actual fraudulent activity, when a fraudulent charge was made to her credit card. This fraudulent charge occurred after she shopped at the breached Barnes & Noble store. Win-stead was contacted by her credit card company about a potentially fraudulent charge, she confirmed it was fraudulent; her card was cancelled; and Winstead was unable to use her credit card until a replacement card arrived.
Barnes & Noble Pin Pad Litigation, 2013 WL 4759588 at *2. The court continued:
[e]ven assuming the fraudulent charge is due to the actions or inactions of Barnes & Noble, Winstead has not pled that actual injury resulted and that she suffered any monetary loss due to the fraudulent charge. She alleges she was without the use of her credit card for the period of time it took to replace her card, but there is no indication of how long this was, or any other facts regarding this period of time. In order to have suffered an actual injury, she must have had an unreimbursed charge on her credit card; the most that is alleged is a time lag of an unknown length between learning of the fraudulent charge and receiving a new credit card.
Id. at *6 (citing In re Michaels Stores Pin Pad Litig., 830 F.Supp.2d 518, 527 (N.D.Ill.2011) (“Plaintiffs suffered no actual injury ... if Plaintiffs were reimbursed for all unauthorized withdrawals and bank fees and, thus, suffered no out-of-pocket losses.”)). The district court added, “[mjoreover, it is not directly apparent that the fraudulent charge was in any way related to the security breach at Barnes & Noble. For these reasons, there is no actual injury and therefore, no standing.” 2013 WL 4759588 at *6.
To date, the Eleventh Circuit Court of Appeals has not weighed in on the extent of the injury that a consumer who is a purported victim of a data breach must allege to survive a motion to dismiss based on lack of standing. The Eleventh Circuit considered the related topic of identity theft in Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir.2012). In that case, the plaintiffs alleged that they suffered monetary damages as a consequence of identity theft after two laptop computers containing the plaintiffs’ sensitive personal data were stolen from the defendant health services provider. The Eleventh Circuit reversed a district court order dismissing the plaintiffs’ claims for lack of standing. The Court held:
Whether a party claiming actual identity theft resulting from a data breach has standing to bring suit is an issue of first impression in this Circuit. Plaintiffs allege that they have become victims of identity theft and have suffered monetary damages as a result. This constitutes an injury in fact under the law.
Resnick, 693 F.3d at 1323. The Resnick Court acknowledged in dicta that in the context of identity theft, some circuit courts of appeal, “have found that even the threat of future identity theft is sufficient to confer standing in similar circumstances. Krottner v. Starbucks Corp., 628 *1284F.3d 1139, 1142-43 (9th Cir.2010) (finding an injury in fact where plaintiffs alleged a data breach and threat of identity theft, but no actual identity theft); Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 (7th Cir.2007) (same).” The Court reasoned that because the Resnick plaintiffs “alleged only actual — not speculative — identity theft, we need not address the issue of whether speculative identity theft would be sufficient to confer standing.” Id. at 1323, n. 1. From this language, it is not entirely clear to this Court whether the allegation of actual identify theft alone or the allegation actual identity theft plus the allegation of monetary damages prompted the Res-nick majority to find that the Resnick plaintiffs had standing to pursue their identity theft claims.3
Because Resnick does not provide clear direction with respect to Mr. Burton’s pleading obligation in this consumer data theft action and because Alabama law governs Mr. Burton’s negligence claim, the Court turns to Alabama law for guidance.4 In the context of a statute of limitations analysis, the Alabama Supreme Court has held:
The general principle at issue was well stated by Dean Prosser in explaining that the fourth element of a cause of action for negligence, ‘actual loss or damage,’ requires more than nominal damages. ‘[Pjroof of damage [is] an essential part of the plaintiffs case. Nominal damages, to vindicate a technical right, cannot be recovered in a negligence action, where no actual loss has occurred. The threat of future harm, not yet realized, is not enough.’
Ex parte Stonebrook Development, L.L.C., 854 So.2d 584, 589 (Ala.2003) (emphasis in opinion) (quoting William C. Prosser, Handbook of the Law of Torts, § 30 (4th ed.1971)). Elsewhere in Stonebrook Development, the Alabama Supreme Court noted:
In actions such as the case at bar, the act complained of does not itself inflict a legal injury at the time it is done, but plaintiffs injury only follows as a result and a subsequent development of the defendant’s act. . “In such cases, the cause of action ‘accrues,’ and the statute of limitations begins to run, ‘when and only when, the damages are sustained.’ ”
Id. at 588-89 (emphasis in opinion).
The language quoted above goes to the heart of Article Ill’s case or controversy requirement. Under Alabama law, a negligence claim is not ripe until a plaintiff has incurred actual damages. Thus, whether framed as an issue of standing or as an issue of ripeness, Mr. Burton cannot *1285press forward unless he plausibly alleges not only that fraudulent charges appeared on his debit account as a consequence of the MAPCO data breach but also that he incurred damages as a result. If he cannot plausibly allege and ultimately prove actual damages (for example, an allegation that the charges on his account were not forgiven, and he had to pay for the charges), then the Court must dismiss his negligence claim for lack of subject matter jurisdiction because he cannot plead an Article III ease or controversy. His current allegation that his debit card was used for just under $300.00 of unauthorized purchases at a gas station in Florida is not enough to survive a Rule 12(b)(1) challenge to subject matter jurisdiction.5
Because this is largely unchartered territory, the Court will offer Mr. Burton one final opportunity to plead his negligence claim against the defendants. In doing so, the Court brings to the parties’ attention one other issue with respect to subject matter jurisdiction. Mr. Burton has alleged only one potentially plausible statutory basis for subject matter jurisdiction in his amended complaint: 28 U.S.C. § 1332(d); as discussed below, none of Mr. Burton’s federal claims can survive a motion to dismiss. The Court questions whether Mr. Burton plausibly can plead that more than $5 million in actual damages is at issue with respect to consumer losses, given the fact that financial institutions in two class actions have sued the defendants, alleging that the defendants’ “failure to adequately safeguard customer identification information and related data” and their “failure to maintain adequate encryption, intrusion detection and prevention procedures in their computer systems” caused the financial institutions to “incur[ ] significant losses associated with ... customer reimbursement for fraud losses” or “reversal of customer charges.” Winsouth Credit Union v. MAPCO, 3:14-cv-01573 (M.D.Tenn. July 31, 2014), Doc. 1, ¶¶ 1, 2, 51; see also First National Community Bank v. Mapco, 4:14-cv-00031-HLM (N.D.Ga. February 19, 2014), Doc. 1, ¶¶ 1, 2, 52.6 If consumers’ financial institutions have forgiven or reimbursed the vast majority of the purported fraudulent charges on consumers’ accounts, then it is difficult to imagine that a consumer plaintiff will be able to sustain jurisdiction over the long haul under 28 U.S.C. § 1332(d), given the $ 5 million amount in controversy requirement.
Accordingly, the Court denies the defendants’ motion to dismiss on standing grounds. Consistent with this opinion, Mr. *1286Burton may file a second amended complaint within 14 days. If his allegations are not sufficient to plausibly establish standing, then the Court may dismiss the complaint sua sponte for lack of subject matter jurisdiction.
2. Rule 12(b)(6) analysis7
The defendants have presented a number of arguments in favor of dismissal of Mr. Burton’s negligence claim under Rule 12(b)(6) and Iqbal. (Doc. 22). Under Alabama law, the elements of a negligence claim are duty, breach of duty, proximate cause, and damages. Prill v. Marrone, 23 So.3d 1, 6 (Ala.2009); Sessions v. Nonnenmann, 842 So.2d 649, 651 (Ala.2002) (quoting Ex parte Harold L. Martin Distrib. Co., 769 So.2d 313, 314 (Ala.2000) (quoting in turn other authorities)). The Court already has discussed the damages issue in this case. Mr. Burton alleges multiple duty theories in his amended complaint. (Doc. 20, ¶¶ 63-73). He may, if he chooses, refine his allegations of duty and causation in his second amended complaint. If Mr. Burton successfully pleads facts sufficient to establish an Article III controversy in his second amended complaint, then the Court will consider a Rule 12(b)(6) challenge to his negligence claim, should the defendants wish to present one. The Court will resolve the jurisdictional issue first.
B. Fair Credit Reporting Act Claims
Mr. Burton asserts that the defendants violated the Fair Credit Reporting Act (“FRCA”) by improperly disposing or transferring consumer information. (Doc. 20, ¶ 23-24, 35). Congress enacted the FCRA “to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information. ...” 15 U.S.C. § 1681(b) (2012). “To achieve its purpose, the [Act] places distinct obligations on three types of entities: consumer reporting agencies, users of consumer reports, and furnishers of information to consumer reporting agencies.” Chipka v. Bank of Am., 355 Fed.Appx. 380, 382 (11th Cir.2009) (citing 15 U.S.C. §§ 1681b, 1681m, and 1681s-2).
Mr. Burton alleges that MAPCO is a “Consumer Reporting Agency.” (Doc. 20, ¶ 32). MAPCO disagrees. (Doc. 22, p. 6). A “consumer reporting agency” is
any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses *1287any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.
15 U.S.C. § 1681a(f). Mr. Burton argues that he has alleged both intentional and negligent violations of the FCRA:
Plaintiff has alleged that the Defendants’ (sic) deliberate and reckless conduct allowed third parties to steal, or otherwise access, the personal and private information of the Plaintiff without the Plaintiffs’ or Class Members’ consent and for no permissible purpose under FCRA. Allegations include Defendant’s violation of the FCRA. Plaintiffs and class members have been damaged by Defendants’ (sic) deliberate and/or reckless actions. (SAC ¶’s 23-55).
The standards of the FCRA are there to reduce the risk of consumer frauds and related harms. A criminal attack was possible because of Mapeo’s intentional and negligent violations of the FCRA. The severity of the attack was increased because MAPCO did not follow all of the standards of the FCRA.
(Doc. 27, p. 8).
Mr. Burton offers no support for his assertion that the defendants are within the requirements of FCRA, no support for his assertion that the defendants are a “consumer reporting agency,” and no support for his assertion that the theft of credit card information constitutes “furnishing consumer reports” or “disposal” of consumer information for purposes of violation of the Act. Mr. Burton has not identified a FCRA “standard” which the defendants purportedly violated.
When faced with a similar pleading, the Southern District of Ohio ruled:
Named Plaintiffs’ vague allegation that Defendant violated the [FCRA] by “failing to adopt and maintain such protective procedures ...,” [ ], is insufficient to confer statutory standing because it fails to allege Defendant violated one of the requirements of the subchapter. In other words, the Complaint does not allege a specific requirement in the FCRA that Defendant failed to perform or a specific prohibition that Defendant ignored.
To hold otherwise would confer statutory standing on any plaintiff who alleges a defendant violated the purpose of a statute regardless of whether the defendant took or failed to take an action the statute prohibited or required. The Court cannot find that Congress intended to confer statutory standing in instances where a plaintiff' alleges a defendant violated a statute in a manner other than as provided by Congress in the statute. Accordingly, Named Plaintiffs do not have statutory standing to bring their FCRA claims because they have not alleged injury arising from the violation of a particular statutory requirement or prohibition set forth in the FCRA.
Galaria v. Nationwide Mut. Ins. Co., 998 F.Supp.2d 646, 653 (S.D.Ohio 2014).' As MAPCO notes, “Burton makes no serious attempt to save his FCRA claims.” (Doc. 28, p. 1). Therefore, the Court will dismiss Counts I and II of the second amended complaint.
C. Invasion of Privacy Claims
The tort of invasion of privacy under Alabama law covers a variety of wrongs. See e.g., Butler v. Town of Argo, 871 So.2d 1, 12 (Ala.2003) (citation omitted). Mr. Burton alleges that the release of his financial information constituted an invasion of privacy by public disclosure of private facts. Such a claim requires at least an allegation of “publicity” — specifically, “making ... public, by communicating it to the public at large, or to so many persons that the matter must be regarded *1288as substantially certain to become one of public knowledge.” Ex parte Birmingham News, Inc., 778 So.2d 814, 818 (Ala.2000) (quoting Comments to Restatement (Second) of Torts § 652). Mr. Burton does not allege that the defendants gave “publicity” to his private information, a required element of this claim. Mr. Burton offers no legal basis for his claim that a theft of data from a merchant constitutes communication of the information stolen to the public. Without such disclosure to the public at large, there is no tort. See e.g., McNeil v. Best Buy Co., Inc., 2014 WL 1316935 (E.D.Mo.2014) (“Plaintiff fails to identify any personal facts that were publicized, nor does he allege when such facts were publicized or to whom.... The alleged threat of some future publication is too speculative to state a claim ... and so Plaintiffs claim for public disclosure of private facts must be dismissed.”).
Even if Mr. Burton had alleged facts concerning public disclosure, his invasion of privacy claim suffers from another fatal flaw. Under Alabama law, invasion of privacy is an intentional tort. See e.g., Rosen v. Montgomery Surgical Ctr., 825 So.2d 735, 737 (Ala.2001) (quoting Carter v. Innisfree Hotel, Inc., 661 So.2d 1174, 1178 (Ala.1995) (“This Court defines the tort of invasion of privacy as the intentional wrongful intrusion into one’s private activities in such a manner as to outrage or cause mental suffering, shame, or humiliation to a person of ordinary sensibilities.”)). Even if the defendants were negligent, as alleged, in safeguarding Mr. Burton’s account information, such negligence' does not morph into an intentional act of divulging his confidential information. Mr. Burton has alleged no plausible facts concerning intentional conduct.
Therefore, the Court will dismiss Count III of the second amended complaint.
CONCLUSION
For the reasons outlined above, the Court GRANTS IN PART and DENIES IN PART the defendants’ motion to dismiss. The Court will dismiss with prejudice Mr. Burton’s Fair Credit Reporting Act claims (Counts I and II) and Mr. Burton’s invasion of privacy claim (Count III). (Doc. 20). The Court will permit Burton one final opportunity to amend his complaint to allege his negligence claim.8