Restaurants sue POS firms over data theft

LAFAYETTE La. Several Louisiana restaurateurs have sued their point-of-sale system maker and distributor, alleging their actions enabled hackers to steal customer data and thereby caused the operators financial losses and damaged reputations.

Filed in the 15th Judicial District in Lafayette, the lawsuit names as defendants hardware and software maker Radiant Systems Inc. of Alpharetta, Ga., and Radiant dealer and services provider Computer World Inc. of Scott, La.

The case centers on data breaches discovered in early 2008, at restaurants using Aloha POS software from Radiant that was installed and maintained by Computer World. The plaintiffs have claimed that once data was stolen, they had to incur expenses for audit fees, charge backs and fines.

Atlanta attorney Charles Hoff, who is acting as an adviser to the plaintiffs’ lawyers, said that while restaurateurs have previously made compensation demands on POS vendors or distributors in data-breach cases, this ongoing lawsuit is among the first to have landed in court, making it important for restaurant operators and the vendor community alike.

The latest case update occurred last month, when a judge denied a motion by the defendants to discontinue the collective case, Hoff said. The ruling, he said, will enable other restaurants to join the case and makes the litigation more affordable for independent restaurateurs.

Radiant said it believes the charges are without merit.

“Radiant is widely recognized in the restaurant industry for delivering value to customers while helping them manage risk. That’s why this recent story is particularly troublesome to us,” said Paul Langenbahn, president of Radiant’s hospitality division. “Almost two years ago, these customers were victims of criminal acts and we feel horrible about that. However, Radiant’s software was never compromised.”

Langenbahn added that, while it is Radiant’s policy not to comment on the details of pending litigation, “What we can say is that Radiant takes data security very seriously, and that our products are among the most secure in the industry.”

Calls and e-mails to Computer World and its attorney were not returned by press time.

The lawsuit’s plaintiffs include B.S. & J. Enterprises Inc. of Baton Rouge, La., operator of Jones Creek Cafe & Oyster Bar; Crayfish Town USA Inc. in Breaux Bridge, La.; and Don’s Seafood & Steak House Inc. in Baton Rouge. The other plaintiffs are Mansy Enterprises LLC of Lafayette, operator of Picante Mexican Restaurant & Cantina; Mel’s Diner Part II Inc. of Broussard, La.; and Sammy’s LLC of Baton Rouge, and Sammy’s of Zachary LLC in Zachary, La., operators of Sammy’s Grill.

“Our clients are restaurants. They are food experts, not technologists,” attorney Hoff said. “When major players in the hospitality industry such as Radiant Systems and its distributors say their software and business practices are compliant [with accepted industry regulations], our clients trust them.”

Astatement by the plaintiffs’ attorneys said hundreds of the restaurants’ customers had their card data stolen.

The attorneys said that, depending on their individual circumstances, the operators have had to pay some or all of a wide range of costs associated with the data breaches. They said that among the costs they are seeking to recover on behalf of operators are those related to hiring forensic auditors and information technology consultants; card company fines for non-compliance with data security standards; charge-back assessments related to goods purchased illegally using card numbers stolen from their restaurants; reimbursement for business lost, if any, as a result of adverse publicity tied to the data thefts; and attorneys’ fees.

The plaintiffs’ attorneys allege that forensic auditors hired by the restaurateurs determined that Computer World violated standard security provisions. Radiant’s failure to either instruct or monitor Computer World’s actions contributed to the compromise of the restaurateurs’ POS systems, the plaintiffs’ attorneys further alleged.

The restaurateurs were alerted to the possible theft of card data by local law enforcement officials in spring 2008, and subsequent investigations of their own confirmed that their systems had been compromised, court documents said. Additional research by the restaurateurs determined that malicious “keylogger” software was loaded onto their POS systems, their attorneys said.

Plaintiff Keith Bond of Mel’s Diner said the keylogger captured data from payment cards as they were swiped to settle tabs. He said he was told by officials of the U.S. Secret Service, which investigates credit card fraud and identity theft, that a Romanian hacker was involved.

To date, Bond said, his tab for the incident has run about $50,000. His out-of-pocket costs, he explained, have included forensic audit fees of approximately $19,000, charge-back assessments of about $19,000 and a Visa fine of $5,000.

Contact Alan J. Liddle at [email protected] [1].