Sonic Class Action Claims Data Breach Exposed Millions to Credit Fraud

Two customers of the Sonic fast food chain are taking the company to task for allowing their debit and credit card information to be exposed in a data breach.

Plaintiffs Michelle Vanderzanden of Oregon and James Carlton of Washington say defendant Sonic Corporation failed in its legal duty to protect its customers’ credit and debit card information.

Through skimpy data protection and late notification about the breach, Sonic unnecessarily exposed its customers to an excessive risk of identity theft, the plaintiffs claim.

Sonic is a nationwide fast food chain with more than 3,500 restaurants in 44 different states, including the plaintiffs’ home states of Oregon and Washington.

According to this Sonic class action lawsuit, Sonic announced just a few days ago that its credit card processor had been hacked. The breach allegedly affected the company’s system of electronic cash registers, known as point-of-sale terminals. It’s not yet known whether the breach affected just a few Sonic restaurants or every restaurant in the chain.

The hackers could have gotten access to millions of credit and debit card numbers of Sonic customers. The plaintiffs estimate around 5 million potential Class Members could be affected, causing an estimated $2.3 billion in damages.

Tech security blog KrebsOnSecurity reports the card numbers stolen from Sonic have already been offered for sale on a black-market data exchange known as Joker’s Stash.

The plaintiffs say the Sonic data breach is the result of Sonic skimping on its investment in data security, saving money for itself while putting its customers’ credit data at an unreasonable risk. They say Sonic knew and should have known that without adequate technological safeguards, they would eventually be the target of a significant data breach.

“Sonic Corporation could have and should have substantially increased the amount of money it spent to protect against cyber-attacks but chose not to,” the plaintiffs claim. “Consumers should not have to bear the expense caused by Sonic Corporation’s negligent failure to safeguard their credit and debit card information from cyber-attackers.”

Vanderzanden and Carlton argue that Sonic should have notified persons affected by the Sonic data breach much sooner than they actually did. Earlier notification would have given affected persons a chance to minimize their exposure to the risk of credit fraud and identity theft, they allege.

The plaintiffs’ proposed Class is defined as all persons whose debit or credit card information was collected and stored by Sonic in the past year, who were subject to a risk of data loss, credit harm and identity theft resulting from the Sonic data breach, and who could have prevented or mitigated that harm if Sonic had notified them of the breach as soon as possible.

Vanderzanden and Carlton are asking for court orders certifying the proposed Class and requiring Sonic Corp. to preserve all relevant documents and information. They also seek an award of damages, reimbursement of court costs, and any other relief the court deems necessary.

The plaintiffs are represented by attorneys Michael Fuller of Olsen Daines PC and Mark Geragos, Ben Meiselas and Lori Feldman of Geragos & Geragos.

The Sonic Data Breach Class Action Lawsuit is Vanderzanden and Carlton v. Sonic Corp., Case No. 3:17-cv-1528, in the U.S. District Court for the District of Oregon.

UPDATE: On Oct. 10, 2018, Sonic agreed to pay $4.3 million to exit multiple class action lawsuits alleging the fast food company failed to properly protect customer data that was exposed in a data breach.

UPDATE 2: January 2019, the Sonic data breach class action settlement is now open. Click here to file a claim.

UPDATE 3: On Nov. 14, 2019, Top Class Actions viewers started receiving checks in the mail worth $129.76 from the Sonic data breach settlement. Congratulations to everyone who filed a valid claim and got PAID!