A proposed class action alleges Dickey’s Barbecue Restaurants failed to exercise reasonable care in safeguarding customers’ personal information in light of a months-long data breach first reported by cybersecurity experts last fall.
The 32-page lawsuit relays that Krebs on Security revealed in an October 15, 2020 blog post that payment card data had been stolen from Dickey’s customers at more than 100 of its restaurant locations nationwide. According to the Krebs article, a dark web payment card marketplace known as “Joker’s Stash” debuted a collection of more than three million stolen payment card records while advertising “validity rates” for the cards of between 90 to 100 percent.
The stolen payment cards had been used at one or more Dickey’s restaurants over the preceding 13 to 15 months, a time period spanning May 2019 to September 2020, the complaint says. According to the case, cyber intelligence firm Gemini Advisory reported that approximately 156 Dickey’s locations across 30 states likely had payment systems compromised by payment card-stealing malware, with the highest levels of exposure in California and Arizona. Gemini Advisory further concluded that the payment transactions at Dickey’s restaurants were processed by way of an “outdated magstripe method” prone to malware attacks, the lawsuit says.
The proposed class action, filed in California federal court on April 5, alleges the Dickey’s data breach was the result of the restaurant’s “inadequate approach to data security and protection of its customers’ [personally identifying information]” collected during the course of business. The case claims Dickey’s also failed to timely notify those affected by the data breach.
From the suit:
“Defendant disregarded the rights of Plaintiff and the Class by intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure its data systems were protected, failing to disclose to its customers the material fact that it did not have adequate computer systems and security practices to safeguard PII, failing to take available steps to prevent the Data Breach, and failing to monitor and timely detect the Data Breach.”
According to the complaint, Dickey’s could have prevented this data breach given a number of other restaurant and retail chains have been hit with similar malware-based attacks on their point-of-sale (POS) systems in recent years. Per the suit, the susceptibility of POS systems is “well-known through the restaurant industry” and has been exploited in “practically every major data breach involving retail stores or fast-food restaurants” in the last five years.
“Unfortunately, Defendant’s decision to ignore warnings like this led to the damage alleged here,” the case says.
Dickey’s is no stranger to data breaches, according to the case. In 2015 the restaurant was hit with a ransomware attack wherein the perpetrator demanded $6,000 in exchange for the return of Dickey’s marketing files, the suit says. In the wake of that incident, Dickey’s published an article in which it detailed what happened and its commitment to “a robust cybersecurity posture,” including quotes from the chain’s then-CEO and an endorsement of investing in proactive cybersecurity measures.
Despite the foregoing, the lawsuit says, Dickey’s “again failed to protect its customers PII with adequate data security.” As a result of the ransomware attack, proposed class members’ information has been exposed to criminals for misuse, and the consumers face, among other potential damages, a heightened risk of identity theft, fraud and the expenditure of time and resources to protect against and/or investigate such, the lawsuit says.
On March 23, a federal judge in Texas consolidated three proposed class actions against Dickey’s over the data breach. Prior to that event, the U.S. Judicial Panel on Multidistrict Litigation declined to transfer the lawsuits to California to be joined with three other lawsuits pending in the state over the ransomware attack, Law360 reports.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.