Radiant Systems and Computer World responsible for breach affecting restaurants – lawsuit

There’s been a lot of coverage of the lawsuits against Heartland Payment Systems, a payment processor fined by both Visa and Mastercard for not being PCI-DSS compliant. Now a class-action lawsuit by seven restaurants claims that dozens of restaurants may have become victims of card fraud because systems provided to the restaurants by Radiant Systems and its Louisiana distributor, Computer World Inc., were not compliant with required standards.

According to a statement provided to DataBreaches.net by Charles Hoff of the Law Offices of Charles Y. Hoff, PC, general counsel for the Georgia Restaurant Association and one of the attorneys acting as a legal advisor to the restaurants in the lawsuit, the plaintiffs “do not have any exact numbers from the Secret Service but have been told that it is believed that dozens of restaurants as well as some hotels were victims of security breaches.”

Seven restaurants in Louisiana and Mississippi are named as plaintiffs in the lawsuit, including a Best Western, Mel’s Diner, Sammy’s Grill, Crawfish Town USA, Jone’s Creek Cafe, Don’s Seafood, and Picante’s Mexican Grill. In a separate, but related lawsuit, On the Half Shell and Boudreaux’s and Thibodeaux’s, sued Radiant Systems and Computer World in April.

Keith Bond, owner of Mel’s Diner in Broussard, Louisiana says that he purchased the “Aloha” system in 2007. In the spring of 2008, one of the restaurant’s servers noticed a problem that the mouse seemed to be moving around out of their control. According to Bond, they called Computer World, who told them to disconnect their internet connection and that they would send someone out the next day. When the service tech examined the system, he reportedly removed and replaced the hard drive, but was “vague” about what was wrong with the system, reassuring them that the problem was now resolved. Less than one month later, the restaurant received letters from Visa and Mastercard that they had been breached, were being fined, and were required to arrange for a forensic audit with an approved auditor. According to Bond, Visa fined them $5,000 and debited the money from their account immediately. Mastercard fined them $100,000 but waived the fine [but see NOTE at bottom of story].

Bond says that 669 of his customers were affected by the breach, although he never heard any complaints from any of them and only knew of the breach because of Visa and Mastercard contacting him. Other restaurants involved in the lawsuit were reportedly not as lucky. Bond says that Sammy’s Grill had 45,000 customers whose cards were compromised over a three-year period, and that he knows of 19 businesses who had similar breaches while using the Aloha system. He suspects that there are many more restaurants who also experienced breaches of a similar nature.

In a press release from the plaintiffs, Radiant Systems and Computer World Inc., are accused of having directly contributed to the breach by providing products that were not PCI-DSS compliant.

1) Restaurants were sold earlier model POS systems although they were represented to be new models;
2) Computer World used a remote access system that did not have adequate security patches – a violation of PCI-DSS standards;
3) Computer World used the same password for at least 200 operators in violation of PCI standards;
4) The distributor failed to remove prior sensitive customer credit data upon installation of Radiant POS systems, again in violation of PCI standards.

Bond claims that in his case, when Secure Metrics performed the forensic audit, they discovered that the system had previously been installed as Sorano’s Salsa Company’s system. It’s not clear whether any personal or financial data were still accessible, but it was clear that the system was not new. Bond says that pcAnywhere came installed on his system so that Computer World could remotely access the system to service it. But as with every Computer World installation for every Aloha customer, Computer World allegedly used the default password, and all 200 installations used the same password, “computer.” According to Bond, the Secret Service discovered that a Romanian hacker had accessed all of the computers using the system and common password and installed keyloggers to capture the card data.

The plaintiffs also claim that “Radiant and Computer World were warned by Visa in 2007 that their programs were non-compliant, but the restaurants were unaware of these warnings at the time they purchased the Aloha system.”

The plaintiffs are seeking damages to cover all of the expenses they incurred.

Both Radiant Systems and Computer World were contacted for a response to the press release issued yesterday by the plaintiffs. C. York Craig, III, of the law firm representing Computer World, Forman Perry Watkins Krutz & Tardy LLP, sent the following statement:

Computer World, through its New Orleans attorney, Joseph B. Morton, III of Forman Perry Watkins Krutz & Tardy LLP, denied the assertions of the plaintiffs. Morton stated, “We prefer to handle these matters in the proper forum. Computer World is confident that when all of the evidence is examined in a court of law, it will be established that Computer World fulfilled its contractual obligations, appropriately installed/monitored the POS hardware and software, complied with all government requirements and was very responsive to the needs of its clients.”

As of the time of this posting, Radiant Systems did not reply to DataBreaches.net’s inquiry (SEE UPDATE, BELOW). Bond says that a motion by Radiant Systems to break up the class action lawsuit was dismissed by a judge yesterday, and that the lawsuit has been allowed to go forward as a class-action lawsuit.

Bond informs DataBreaches.net that as a result of the breach, another one of the plaintiffs gave up on using credit cards altogether rather than incur the costs of a forensic audit and fines by Visa and Mastercard. As for Bond himself, after incurring $19,000 in forensic audit fees, several thousand dollars in fees for an IT consultant to implement the auditor’s recommendations, $20,000 in chargebacks, attorney fees, miscellaneous fees, and $5,000 in fines from Visa (see NOTE, below), Mel’s Diner has gone back to using dial-up.

Updated Nov. 25: I received this statement from Paul Langenbahn, president of the hospitality division at Radiant Systems:

These customers were victims of criminal acts almost two years ago. Unfortunately, in today’s world criminal acts like these are not uncommon in the restaurant industry. It is Radiant’s policy not to comment on the details of pending litigation. What we can say is that Radiant takes data security very seriously, and that our products are among the most secure in the industry. We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.

NOTE of December 1: Although Bond stated that Visa fined him and Mastercard fined him and referred to fines by them several times, card brands do not fine or penalize merchants. They may fine the acquirers who, in turn, may pass along the fines to the merchant.

12-14-09: Faulty link to April lawsuit corrected, thanks to an observant reader.

About the author: Dissent