[BreachExchange] Sonic Corp. sued for $5 million over 2017 data breach

Destry Winant destry at riskbasedsecurity.com
Thu Mar 7 10:39:56 EST 2019


A 2017 data breach at Sonic restaurants caused financial institutions
to lose revenue, a new lawsuit claims.

American Airlines Federal Credit Union claims in its lawsuit filed
Monday that Sonic failed to protect its point of sale systems or
update them with current technology. Because of that, the lawsuit
claims, hackers used malware to infiltrate the systems and steal
cardholder information.

The credit union said that because of the breach, it had to cancel or
reissue cards, close accounts, block transactions, refund affected
customers and increase fraud monitoring efforts. That along with a
decline in card usage following the breach, cost AAFCU money, the
lawsuit states. AAFCU has asked the federal court in the Western
District of Oklahoma to certify the case as a class action, which
would allow other financial institutions to seek compensation.

Sonic declined to comment, saying that the company does not discuss
pending or current litigation in the media. The credit union could not
be reached for comment.

According to the lawsuit, Sonic used inadequate security measures in
its POS, or point of sale system that handles credit and debit card

"At the time of the breach, nearly a quarter of Sonic’s restaurants
used POS systems that were nearly thirty years old. Sonic implemented
and utilized operating systems and programs that no longer received
security updates, rendering them unable to effectively prevent data
breaches," lawyers for the AAFCU wrote.

The plaintiffs claim they and other parties could be owed at least $5 million.

Monday's lawsuit comes on the heels of a claim filed by Sonic
customers after the same breach. Sonic eventually agreed to pay up to
$4.3 million, with affected customers receiving between $10 and $40

In similar cases around the country, financial institutions have found
success suing retailers who were the target of data breaches. Several
judges have ruled these kinds of cases can be heard in court, and
companies have settled claims to avoid a costly trial. A 2017
settlement agreement saw Home Depot pay more than $27 million to end a
case, and fast food giant Wendy's settled similar claims just last
month in a separate breach.

Because those outcomes avoided a trial, Oklahoma City attorney Gideon
Lincecum said it's hard to say what the law actually is. Without a
court ruling, there's no telling how much liability the retailers
actually have when criminals attack third-party programs that process
cards created by financial institutions.

"I can understand why it's frustrating for a defendant in this
situation, because you have someone committing a crime, and now you're
being held accountable for that crime because you didn't do enough to
prevent it," said Lincecum, a partner at the Holladay & Chilton law
firm. "I think there's some argument that if you're going to accept
payment in a certain form, that you at least to be reasonable in your
protection of that information. But basic negligence allegations
ignores the fact that hackers don't act reasonably."

More information about the BreachExchange mailing list