BreachExchange mailing list archives
Sonic Corp. sued for $5 million over 2017 data breach
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 7 Mar 2019 09:39:56 -0600
https://newsok.com/article/5624861/sonic-corp-sued-over-data-breach A 2017 data breach at Sonic restaurants caused financial institutions to lose revenue, a new lawsuit claims. American Airlines Federal Credit Union claims in its lawsuit filed Monday that Sonic failed to protect its point of sale systems or update them with current technology. Because of that, the lawsuit claims, hackers used malware to infiltrate the systems and steal cardholder information. The credit union said that because of the breach, it had to cancel or reissue cards, close accounts, block transactions, refund affected customers and increase fraud monitoring efforts. That along with a decline in card usage following the breach, cost AAFCU money, the lawsuit states. AAFCU has asked the federal court in the Western District of Oklahoma to certify the case as a class action, which would allow other financial institutions to seek compensation. Sonic declined to comment, saying that the company does not discuss pending or current litigation in the media. The credit union could not be reached for comment. According to the lawsuit, Sonic used inadequate security measures in its POS, or point of sale system that handles credit and debit card transactions. "At the time of the breach, nearly a quarter of Sonic’s restaurants used POS systems that were nearly thirty years old. Sonic implemented and utilized operating systems and programs that no longer received security updates, rendering them unable to effectively prevent data breaches," lawyers for the AAFCU wrote. The plaintiffs claim they and other parties could be owed at least $5 million. Monday's lawsuit comes on the heels of a claim filed by Sonic customers after the same breach. Sonic eventually agreed to pay up to $4.3 million, with affected customers receiving between $10 and $40 each. In similar cases around the country, financial institutions have found success suing retailers who were the target of data breaches. Several judges have ruled these kinds of cases can be heard in court, and companies have settled claims to avoid a costly trial. A 2017 settlement agreement saw Home Depot pay more than $27 million to end a case, and fast food giant Wendy's settled similar claims just last month in a separate breach. Because those outcomes avoided a trial, Oklahoma City attorney Gideon Lincecum said it's hard to say what the law actually is. Without a court ruling, there's no telling how much liability the retailers actually have when criminals attack third-party programs that process cards created by financial institutions. "I can understand why it's frustrating for a defendant in this situation, because you have someone committing a crime, and now you're being held accountable for that crime because you didn't do enough to prevent it," said Lincecum, a partner at the Holladay & Chilton law firm. "I think there's some argument that if you're going to accept payment in a certain form, that you at least to be reasonable in your protection of that information. But basic negligence allegations ignores the fact that hackers don't act reasonably." _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Sonic Corp. sued for $5 million over 2017 data breach Destry Winant (Mar 07)