The operators of Dickey’s Barbeque Pit face a proposed class action lawsuit after roughly three million credit card numbers were reportedly “siphoned” from more than 150 restaurant locations from May 2019 through at least September 2020 and put up for sale on the dark web.
The 26-page consumer privacy lawsuit alleges “lax security measures” on the part of defendants Dickey’s Barbecue Restaurants Inc. and Dickey’s Capital Group, Inc. are to blame for the barbeque joint’s latest “massive” data breach.
“This is not the first cyber attack Dickey’s has suffered in recent years,” the complaint reads, claiming the breach may have continued undetected had the stolen information, which was made for sale on the “Joker’s Stash” marketplace, not been reported on by industry experts.
The lawsuit claims Dickey’s, the “fastest-growing BBQ chain” in the country, has violated California law by failing to notify customers whose credit card numbers and personal identifying information (PII) were stolen and sold due to the data breach. The defendants’ failure to notify those affected by the incident has left consumers at a disadvantage in taking proactive measures to protect their identities and finances and to guard against potential fraud, the suit argues.
According to the complaint, the Dickey’s data breach, dubbed the “BlazingSun” breach, has been reported on by a number of reputable cyber-security researchers, including Brian Krebs, Gemini Advisory and Q6 Cyber. Citing the researchers’ findings, the lawsuit says the compromised “BlazingSun” credit card numbers belonged to consumers spanning 35 states, with the highest number of affected accounts coming from California, where Dickey’s has 66 locations.
Per the suit, the data protection industry researchers have traced the origin of the stolen financial details to the Dickey’s data breach and specific Dickey’s locations.
“There are thousands of cards in ‘BlazingSun’ from zip codes surrounding that location and others in California, with more being released for sale on an ongoing basis,” the case reads.
According to the suit, the Dickey’s data breach is a clear violation of the California Consumer Privacy Act in that the disclosed information, whether it’s encrypted or unencrypted, includes an individual’s first name (or first initial) and their last name in combination with a credit or debit account number and any required security code, password or access code that would permit access to the individual’s financial account.
In all, the defendants have failed to maintain reasonable security controls and systems appropriate for the type of PII in their control, the suit contests. Dickey’s “knew or should have known” about industry-standard data protection measures, such as using secure chip card readers in place of card swiping, that could have been used to protect customers’ information, the lawsuit says.
More troubling is the fact that Dickey’s apparently did not know the data breach was taking place for months, the suit stresses:
“Defendants also failed to maintain proper measures to detect hacking and intrusion. For example, Dickey’s did not learn that 3 million of its customers’ payment cards had been stolen until the hack was publicly reported by third parties – at least 16 months after it began. Defendants should have had breach detection protocols in place, which could have detected the breach and alerted customers much sooner.”
The lawsuit looks to cover all consumers who made a purchase from Dickey’s using a payment card, or otherwise disclosed payment information to the restaurant, at any time since January 1, 2020 and whose personal information was compromised, including as part of the Joker’s Stash BlazingSun data set.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.