$5.7M Sonic settlement over data breach gets final approval


  • A federal judge in Ohio approved a $5.7 million settlement agreement made by Sonic Corp. to resolve claims revolving around a 2017 data breach.
  • Sonic made the class action settlement with financial institutions that argued it was negligent and bore responsibility for the data breach by allegedly failing to implement adequate data security measures at its restaurant. 
  • The data breach compromised the credit and debit card information of millions of customers.
  • Sonic previously agreed to pay $4.3 million in a settlement made with consumers in 2018 to resolve claims related to the data breach. 

Sonic Data Breach Class Action Overview: 

  • Who: Fast-food chain Sonic is facing legal action filed by American Airlines Federal Credit Union, Redstone Federal Credit Union, and Arkansas Federal Credit Union.
  • What: The financial institutions allege that the drive-in eatery was negligent with consumer payments, including credit and debit card information exposed in a 2017 Sonic data breach. 
  • When: The consolidated class actions are pending in Ohio federal court. 


Fast-food chain Sonic must face trial after a data breach forced major financial institutions to issue new customer credit cards and reimburse funds stolen by hackers.

U.S. District Judge James S. Gwin ruled against Sonic this week, after the company had filed for an early judgement in a class action lawsuit filed by the banks. 

The drive-in eatery argued that banks did not have enough proof the hack was Sonic’s fault; however, Judge Gwin ruled that Sonic’s “affirmative acts created a risk of harm, and Sonic knew or should have known that the risk of hacking made its flawed security practices unreasonably dangerous.”

Sonic Drive-In Data Breach Class Action Lodged By Banks

American Airlines Federal Credit Union, Redstone Federal Credit Union, and Arkansas Federal Credit Union brought a class action against Sonic after the fast-food company reached a $4.3 million settlement with consumers following the 2017 data breach

In the breach, hackers accessed unencrypted credit card data from Sonic’s cash register software provider Infor. The breach was undetected for six months.

The three credit card companies, which hope to represent thousands of others, said in their class action that Sonic would have avoided the hack if it had been in compliance with its own security protocols.

A federal judge agreed with the financial institutions that Sonic did multiple things to expose the credit unions to a “high degree of risk” including leaving Infor’s remote access permanently enabled without blocking foreign IP addresses, and by creating a weak access password for the VPN which did not require multi factor authentication.

According to Judge Gwin, the chain also committed the two “affirmative acts” of using software that did not require end-to-end encryption and operating old and out of data software systems in its more than 700 franchises.

Have you eaten at a Sonic franchise before? Let us know if this data breach affected you in the comments section!

The financial institutions are represented by Brian C. Gudmundson and Michael J. Laird of Zimmerman Reed LLP, Charles H. Van Horn, Katherine M. Silverman and Lauren S. Frisch of Berman Fink Van Horn PC, Joseph P Guglielmo, Erin Green Comite and Margaret Ferron of Scott and Scott Attorneys at Law LLP, Karen Sharp Halbert and William R. Olson of Roberts Law Firm PA and Arthur M. Murray, Stephen B. Murray Sr. and Caroline Thomas White of Murray Law Firm.

The Sonic Data Breach MDL is In Re: Sonic Corp. Customer Data Breach Litigation, Case No. 1:17-md-02807, in the U.S. District Court for the Northern District of Ohio.