In Re: Sonic Corp. Customer Data Security Breach
1:17-md-02807
N.D. OhioSep 7, 2021Background
- In 2017 hackers stole payment-card data from 762 Sonic-branded franchised restaurants by exploiting remote access to franchise systems.
- Sonic required franchisees to route transactions through Sonic-controlled infrastructure (First Data and Sonic-managed VPN) and assisted Infor with VPN access, issuing an "infor_nrowan" credential.
- The PAYS environment (used at drive-throughs/inside restaurants) decrypted card data during processing; middleware (WinEPS 828) did not support end-to-end encryption and Sonic delayed upgrades to OpenEPS.
- Hackers used Infor-issued VPN credentials to access the VPN for over six months; vulnerabilities included permanently enabled remote access, weak/password-only authentication (no MFA), lack of centralized logging/alerts, and outdated software.
- Financial institutions sued Sonic for negligence; following class certification, Sonic moved for summary judgment. The court denied summary judgment, finding genuine fact issues on duty and proximate cause.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Duty: whether Sonic owed a duty to prevent third-party hacking | Sonic affirmatively created and managed insecure systems (permanently enabled VPN, issued credential w/o MFA, required non-E2E middleware), creating a high, foreseeable risk | Sonic did not owe a duty to guard against third-party criminal acts; Infor and other vendors were responsible for the vulnerabilities | Court: Duty exists as a question of law for the court; evidence shows Sonic committed affirmative acts that created foreseeable, unreasonably dangerous risks, so duty remains for trial |
| Proximate cause / supervening cause: whether hackers’ criminal acts cut off Sonic’s liability | The hack was a foreseeable consequence of Sonic's affirmative acts (vulnerable VPN, no MFA, no logging, non-E2E middleware); Sonic’s failures operated concurrently with the hack | The hackers’ criminal acts were independent, superseding causes that break the causal chain | Court: Proximate cause is for the jury; material disputes exist whether the hack was foreseeable or whether Sonic’s acts substantially caused the injuries, so summary judgment denied |
| Scope of affirmative acts / foreseeability: whether Sonic’s operational choices foreseeably increased harm | Sonic’s policies (VPN configuration, credential practices, delayed middleware upgrades, absent logging) foreseeably increased risk and extent of loss | Sonic contests responsibility for configuration, upgrades, logging, and blame falls to vendors/franchisees | Court: Sufficient evidence supports that Sonic’s actions created and worsened vulnerabilities; factual disputes prevent summary judgment |
Key Cases Cited
- Celotex Corp. v. Catrett, 477 U.S. 317 (1986) (summary judgment standard and movant's burden)
- Anderson v. Liberty Lobby, Inc., 477 U.S. 242 (1986) (standard for genuine issue of material fact)
- Peffer v. Stephens, 880 F.3d 256 (6th Cir. 2018) (application of summary-judgment standard)
- Thomas v. Speedway SuperAmerica, LLC, 506 F.3d 496 (6th Cir. 2007) (viewing evidence in light most favorable to nonmovant)
- Lowery v. Echostar Satellite Corp., 160 P.3d 959 (Okla. 2007) (elements of negligence under Oklahoma law)
- J.S. v. Harris, 227 P.3d 1089 (Okla. Ct. App. 2009) (duty where defendant’s affirmative act creates high degree of risk)
- McGehee v. Forest Oil Corp., 908 F.3d 619 (10th Cir. 2018) (duty question as threshold legal issue)
- Lockhart v. Loosen, 943 P.2d 1074 (Okla. 1997) (supervening cause doctrine and proximate-cause principles)
- Beck v. Haik, 377 F.3d 624 (5th Cir. 2004) (admissibility of third-party investigative reports as agent admissions)