Sonic hit with class action suit over POS data breach
Sonic hit with class action suit over POS data breach

Two Sonic Drive-In customers are taking legal action against Sonic for allowing their payment card data to possibly have been compromised when the fast-food chain's POS system was hacked and are demanding the company pay for credit monitoring services for those affected.

Two Oregon residents, Michelle Vanderzanden and James Carlson, are looking to represent all potentially affected Sonic customers with their lawsuit that was filed yesterday in the U.S. District Court, District Court of Oregon, Portland Division. Court documents state the two are filing this suit on behalf of the possible five million people who may be affected and the plaintiffs believe their information was compromised due to negligence on Sonic's behalf.

“In an attempt to increase profits, Sonic Corporation negligently failed to maintain adequate technological safeguards to protect plaintiffs' information from unauthorized access by hackers. Sonic Corporation knew and should have known that failure to maintain adequate technological safeguards could eventually result in a massive data breach,” the court document states.

Continue Reading Below

On Sept. 27 a Sonic spokesperson told SC Media the company was notified last week by its credit card processor that there was unusual activity involving cards used at Sonic restaurants. KrebsonSecurity is reporting that a recent dump of credit card info on a dark web credit card market called Joker's Stash contains card numbers recently used at Sonic, which were on sale for $25-$50 and are most likely tied to the breach.

Christi Woodworth, Sonic's vice president of public relations told SC Media in an emailed note, "As Sonic's investigation is ongoing into this matter, it is premature to discuss the size and scope of this matter. We have a longstanding practice to not discuss pending or current litigation in the media.

In an earlier communication the company told SC that the company had no new information regarding the breach itself.