Court Ruling Opens Door for CU Class Action Lawsuit in Sonic Data Breach
Judge order allows class action lawsuit to represent all financial institutions affected by one of the largest payment card hacks of 2017.
A federal judge’s ruling cleared the path for a credit union class action lawsuit to represent all financial institutions that may have suffered damages from the 2017 data breach of drive-in food chain Sonic restaurants, which compromised payment cards for up to five million customers.
The class action claim against Sonic was brought by the $8.6 billion American Airlines Federal Credit Union in Fort Worth, Texas, the $1.5 billion Arkansas Federal Credit Union in Jacksonville, Ark. and the $6.2 billion Redstone Federal Credit Union in Huntsville, Ala.
For their class action suit, the credit unions sought to represent all financial institutions affected by the Sonic breach.
However, to represent all financial institutions affected by the data breach, the credit unions first had to ask U.S. District Court Judge James Gwin in Cleveland to certify that the credit unions could sue as a class of financial institutions under four prerequisites required by a federal civil procedure rule.
After determining that the four prerequisites were met, Judge Gwin on Monday granted the credit unions’ lawsuit the certification to represent a class of financial institutions of banks, credit unions and other financial institutions in the U.S. that received notice of the breach and took action to reissue credit cards or reimbursed a compromised account from any card brand involved in the Sonic data breach.
There are potentially thousands of class member financial institutions that were affected by one of the largest data breaches in 2017, according to court documents.
Between April 7, 2017 to Oct. 28, 2017, hackers used malware installed on point of sale systems at 762 Sonic restaurants to steal payment card information. According to court documents, many Sonic restaurants used obsolete technology that was vulnerable to hacking.
This outdated technology did not encrypt the card data, which the credit union lawsuit claims is a required industry standard.
The hackers were able to steal card data with impunity for more than six months because Sonic had set up security alerts using an invalid email address, and five million payment cards’ data were sold online, according to an investigation.