A federal judge has denied fast-food chain Sonic’s bid for an early judgment in a class action over a massive data breach in which hackers gained access to cash registers at 762 franchise restaurants.
In an order filed Tuesday in Ohio federal court, U.S. District Judge James S. Gwin agreed with three credit unions suing Sonic that “genuine fact questions remain” for a jury to determine, rejecting the restaurant chain’s argument that the complaint fell short of standards for a negligence claim under Oklahoma law. Sonic is headquartered in Oklahoma City.
According to the order, “Sonic had a duty to prevent the criminal acts of hackers because Sonic’s affirmative acts created a risk of harm, and Sonic knew or should have known that the risk of hacking made its flawed security practices unreasonably dangerous.”
In 2017, hackers used VPN credentials stolen from Infor, the company that provided software for cash registers at Sonic franchises, to access cash registers and collect unencrypted payment card data. The theft continued for a period of more than six months, undetected.
The Judicial Panel on Multidistrict Litigation centralized five potential consumer class actions against Sonic in the Northern District of Ohio, which settled for $4.3 million in 2018. Financial institutions then filed suit later the same year.
American Airlines Federal Credit Union, Redstone Federal Credit Union and Arkansas Federal Credit Union said they had to reissue credit cards and reimburse customers after hackers breached the payment system and stole personal financial information — a breach they insist would not have occurred had Sonic acted in compliance with its own policies and security auditor. The companies represent a class of financial institutions that may include thousands of banks, Judge Gwin found last year.
Sonic has said that Infor was solely responsible for all the factors that contributed to the breach, and that the credit unions failed to show that Sonic either owed them a duty of care or caused the alleged damages under Oklahoma law.
But according to Judge Gwin’s order Tuesday, Sonic did multiple things to expose the credit unions to a “high degree of risk.” The parties agree on two of Sonic’s actions, Judge Gwin wrote: First, Sonic left Infor’s remote access permanently enabled, without blocking foreign IP addresses, “meaning that a hacker who obtained the Infor credential could connect to the VPN at any time” and access each franchise point-of-sale system. Second, Sonic created a weak remote access password for the VPN, and did not enable multifactor authentication.
But “the evidence, viewed in the light most favorable to plaintiffs, suggests two additional affirmative acts by Sonic” that created a foreseeable risk of harm, Judge Gwin found. The restaurant chain required its franchises to use software that didn’t support end-to-end encryption, and Sonic controlled the software updates and upgrades “and caused delays that left franchisees operating vulnerable systems.”
Sonic has maintained that these actions did not cause the breach or the resulting harms to the credit unions. But on Tuesday, Judge Gwin said the issue of proximate cause is a “jury fact question,” while signaling a difficult road ahead for the embattled restaurant chain.
“Sonic’s role in creating the numerous and distinct vulnerabilities that separately contributed to plaintiffs’ claimed injuries is a sufficiently disputed material fact,” according to the order, and in its motion for summary judgment, the company failed to present evidence to show that it was not responsible.
A reasonable jury could find that the hack was a foreseeable outcome of Sonic’s actions, from “inexplicably” granting Infor access to “over 760 Sonic franchisees’ payment systems without requiring dual authentication,” to its failure to monitor and log suspicious activity — which allowed hackers to mine payment card information for more than six months, said Judge Gwin.
Counsel for the parties did not immediately respond to requests for comment Wednesday.
The financial institutions are represented by Brian C. Gudmundson and Michael J. Laird of Zimmerman Reed LLP, Charles H. Van Horn, Katherine M. Silverman and Lauren S. Frisch of Berman Fink Van Horn PC, Joseph P. Guglielmo, Erin Green Comite and Margaret Ferron of Scott + Scott Attorneys at Law LLP, Karen Sharp Halbert and William R. Olson of Roberts Law Firm PA and Arthur M. Murray, Stephen B. Murray Sr. and Caroline Thomas White of Murray Law Firm.
Sonic is represented by Kari M. Rollins, Craig C. Cardon, Liisa M. Thomas and David M. Poell of Sheppard Mullin Richter & Hampton LLP.
The case is In Re: Sonic Corp. Customer Data Breach Litigation, case number 1:17-md-02807, in the U.S. District Court for the Northern District of Ohio.
Leave a Reply