American Airlines Federal Credit Union is suing Sonic restaurants over lost revenue resulting from a 2017 data breach at Sonic.
In its lawsuit, the credit union claims that Sonic failed to adequately protect its point of sale systems or update them when new technology became available. The suit states that about a quarter of Sonic's POS systems were nearly 30 years old and could no longer receive security updates at the time of the breach. The lawsuit alleges that, as a result, cybercriminals were able to infiltrate the systems with malware and steal credit and debit card numbers.
The credit union alleges that it and other financial institutions lost significant amounts of money because of the Sonic data breach. The breach forced the credit union to cancel or reissue cards, close accounts, block transactions, refund affected customers, and increase fraud monitoring efforts, and also caused a decline in card usage.
The credit union is seeking class action status for the lawsuit to allow other financial institutions to seek compensation. The credit union believes it and other institutions are owed at least five million dollars.
Sonic recently agreed to pay up to $4.3 million to settle a lawsuit brought against it by customers affected by the 2017 data breach. Dale Denwalt "Sonic Corp. sued for $5 million over 2017 data breach" newsok.com (Mar. 06, 2019).
In recent years, a number of organizations have faced lawsuits over unprotected point of sale systems. Several judges have ruled that lawsuits in which financial institutions sue companies for lost revenue following a breach can proceed. Many companies have settled these lawsuits, sometimes at great expense, to avoid the even higher costs of going to court. For example, in 2017, Office Depot paid $27 million to settle a lawsuit brought against it by financial institutions.
Because none of these cases have yet gone to trial, organizations do not know exactly how much liability they have when cybercriminals steal credit and debit card information and financial institutions sue. Without a precedent in place and to protect customers, organizations should err on the side of overprotecting customer financial information.
Organizations must make sure to use the latest, most secure software and hardware on systems that collect and store customer credit and debit card numbers and other financial information. If you use point of sale systems, only use those that are new enough to continue to receive patches and security updates. Install firewalls, security software, and other cyber protections to keep customer card numbers stored on computers and in your network safe. As soon as hardware becomes obsolete, immediately replace it with the latest, most secure model.
Although buying new hardware and software can be pricy, it costs far less in lost time and money than recovering from a data breach. Because breaches have become so common, using the latest technology will give you a competitive advantage in a field of companies who too often ignore cybersecurity.