Posted on Leave a comment

Sonic Customer Data Breach Opinion & Order

[hurrytimer id="104941"]

(Financial Institutions).

MDL Case No. 1:17-md-02807-JSG.
United States District Court, N.D. Ohio.

November 2, 2020.


[Resolving Doc. No. 240, 258]

JAMES S. GWIN, District Judge.

American Airlines Federal Credit Union, Arkansas Federal Credit Union, and Redstone Federal Credit Union (“Plaintiffs”) bring this class action claim against Sonic Corporation[1] for alleged damages coming out of a 2017 payment card data breach by unidentified actors. The hackers targeted 762 Sonic Drive-In locations.[2]

Plaintiffs now seek to certify a class of: “All banks, credit unions, financial institutions, and other entities in the United States that received an alert of a potentially compromised account from any card brand in the Sonic Data Breach.”[3]

For the following reasons, the Court GRANTS Plaintiffs’ motion to certify a class of Plaintiffs. The Court will, however, define the class differently than Plaintiffs’ proposal. The Court certifies a class of: All banks, credit unions, and financial institutions in the United States that received notice and took action to reissue credit cards or reimbursed a compromised account from any card brand involved with the Sonic Data Breach.

I. Background

A. The Data Breach

Between April 7, 2017, and October 28, 2017, hackers used malware installed on point-ofsale systems at 762 Sonic restaurants to steal sales transaction payment card data. Sonic required franchise restaurants to use only certain types of point-of-sale systems.[4] In 2017, many Sonic restaurants used obsolete technology that was vulnerable to hacking.[5]

The hackers targeted Sonic franchises that used a particular point-of-sale system and were able to obtain cardholder data.[6] Plaintiffs claim the industry standard requires encryption of stored credit card data, but Sonic’s franchisees used outdated technology—mandated by Sonic corporate policy—and did not encrypt the stolen card data.[7]

A following investigation revealed that the stolen data had been sold online.[8] The hackers were able to steal credit card data with impunity for more than six months because Sonic had set up security alerts using an invalid e-mail address.[9] Five million payment cards’ data were sold online.[10]

Plaintiffs allege that “Visa and other card brands determined” that the compromised cards had all been used at Sonic restaurants.[11]

View the full Ohio district court ruling here.


Leave a Reply