Litigation filed against American fast-food chain Sonic over a 2017 data breach has been allowed to proceed.
Financial institutions brought a lawsuit against Sonic Corp after it emerged that financial data belonging to customers of the restaurant had been stolen in a cyber-attack. The attacker(s) installed malware on a point-of-sale system used at hundreds of Sonic franchises.
In a data breach notice issued at the time of the attack, Sonic stated: “Sonic Drive-In has discovered that credit and debit card numbers may have been acquired without authorization as part of a malware attack experienced at certain Sonic Drive-In locations.”
Sonic is based in Oklahoma City and has nearly 3,600 locations across 45 US states. An investigation into the attack found that customers’ payment card data had been exposed at more than 700 Sonic franchised drive-in locations.
Under Sonic’s franchise agreement, the franchisees were required to give Sonic access to their transaction data through a Sonic-managed virtual private network (VPN). Hackers accessed this data using VPN credentials issued to a transaction-processing service by Sonic.
Sonic has argued that the plaintiffs can’t prove that it was guilty of “affirmative acts” that exposed its customers to an “unreasonably high risk of harm.” According to the restaurant chain, any blame for the breach lies with the point-of-sale vendor that it employed, Infor Restaurants Services Inc.
On Tuesday in Cleveland, Ohio, US District Judge James Gwin turned down Sonic’s request to grant summary judgement. Gwin found that material facts in the case “remain unresolved” and that Sonic owed an obligation to the financial institutions that had brought the case.
"Sonic had a duty to prevent the criminal acts of hackers because Sonic's affirmative acts created a risk of harm, and Sonic knew or should have known that the risk of hacking made its flawed security practices unreasonably dangerous," said Gwin.
In the ruling, Gwin cited several actions allegedly performed by Sonic that had created risk. Among these was creating a "permanently-enabled VPN tunnel" that allowed anyone with Infor credentials and a remote user credential to access the system without multi-factor authentication.