Filed by Chicago resident Clara Hughes-Hillman, the lawsuit claims Sonic Corp, should have known to enable adequate protection of its consumer data particularly in light of recent, well publicized data breaches at other large chain restaurants and companies.
On September 26, 2017, Sonic announced that its payment system had been breached and that personal identifying information for up to five million credit card and debit card owners had been stolen. The complaint alleges that the stolen data is sufficient to enable fraudulent charges to made to accounts of those five million credit and debit card holders.
Sonic has nearly 3,600 locations across 45 states. In its September statement, the restaurant chain noted that the stolen credit and debit card numbers may have been acquired without as part of a malware attack experienced at “certain Sonic Drive-In locations.” The company said it was working on an investigation in conjunction with third-party forensics firms, in addition to cooperating with law enforcement investigations.
Notably, while Sonic has admitted to a data breach in September, the plaintiff alleges that she last frequented a Sonic restaurant in August and September of 2016, a full year prior to Sonic publicly admitting to the breach.
According to the proposed class action, the affected consumers are now vulnerable to unauthorized charges and theft of personal financial information, and must bear the costs of preventing and detecting identity theft, and may even lose financial standing as a result of the loss of access to funds, the possible inability to make payments on bills ad loans, and other adverse effects to their credit.
“Had Sonic implemented and maintained adequate safeguards to protect Customer Data, deter the hackers, and detect the beach within a reasonable amount of time, it is more likely than not that it would have been able to prevent the Data Breach,” the complaint states. “As a result of the Data Breach, the Customer Data of Plaintiff and the Class members have been exposed to criminals and is ripe for misuse.”
Hughes-Hillman seeks certification of a nationwide class of consumers whose personal financial information had been made vulnerable by Sonic to hackers who have put credit card numbers up for sale on the dark web. The complaint asks the court for damages, restitution and disgorgement from Sonic.
Hughes-Hillman and the putative class are represented by Kasif Khowaja and Frank Castiglione of The Khowaja Law Firm LLC, Brian Murray and Bryan Faubus of Glancy Prongay & Murray LLP, Paul Whalen of the Law Office of Paul C. Whalen PC, Jasper D. Ward IV of Jones Ward PLC, John Yanchunis of Morgan & Morgan Complex Litigation Group and Jean Martin of the Law Office of Jean Sutton Martin PLLC.
The case is Hughes-Hillman v. Sonic Corp., case number 1:17-cv-09062 in the U.S. District Court for the Northern District of Illinois.