Credit union sues Sonic over breach
A 2017 data breach at Sonic restaurants caused financial institutions to lose revenue, a new lawsuit claims. American Airlines Federal Credit Union claims in its lawsuit filed Monday that Sonic failed to protect its point of sale systems or update them with current technology. Because of that, the lawsuit claims, hackers used malware to infiltrate the systems and steal cardholder information. The credit union said that because of the breach, it had to cancel or reissue cards, close accounts, block transactions, refund affected customers and increase fraud monitoring efforts. That along with a decline in card usage following the breach, cost AAFCU money, the lawsuit states. AAFCU has asked the federal court in Oklahoma City to certify the case as a class action, which would allow other financial institutions to seek compensation. Sonic declined to comment, saying that the company does not discuss pending or current litigation in the media. The credit union could not be reached for comment. According to the lawsuit, Sonic used inadequate security measures in its "POS," or point of sale system, that handles credit and debit card transactions. "At the time of the breach, nearly a quarter of Sonic's restaurants used POS systems that were nearly 30 years old. Sonic implemented and utilized operating systems and programs that no longer received security updates, rendering them unable to effectively prevent data breaches," lawyers for the AAFCU wrote. The plaintiffs claim they and other parties could be owed at least $5 million. Monday's lawsuit comes on the heels of a claim filed by Sonic customers after the same breach. Sonic eventually agreed to pay up to $4.3 million, with affected customers receiving between $10 and $40 each. In similar cases throughout the country, financial institutions have found success suing retailers that were the target of data breaches. Several judges have ruled these kinds of cases can be heard in court, and companies have settled claims to avoid a costly trial. A 2017 settlement agreement saw Home Depot pay more than $27 million to end a case, and fast food giant Wendy's settled similar claims just last month in a separate breach. Because those outcomes avoided a trial, Oklahoma City attorney Gideon Lincecum said it's hard to say what the law actually is. Without a court ruling, there's no telling how much liability the retailers actually have when criminals attack third-party programs that process cards created by financial institutions. "I can understand why it's frustrating for a defendant in this situation, because you have someone committing a crime, and now you're being held accountable for that crime because you didn't do enough to prevent it," said Lincecum, a partner at the Holladay & Chilton law firm. "I think there's some argument that if you're going to accept payment in a certain form, that you at least to be reasonable in your protection of that information. But basic negligence allegations ignores the fact that hackers don't act reasonably."