The restaurant chain alleges that the Micros payment system was delivered with malware and that it led to the theft of customer credit card information.
Micros Systems is being sued by a Texas-based restaurant chain, which alleges that the IT company sold and installed a malware-infected credit card transaction system that captured personal data from the restaurant's customers.
The trial in the case opened July 15 in U.S. District Court in Baltimore, pitting the Grapevine, Texas-based Cotton Patch Cafe chain against Columbia, Md.-based Micros.
In its 12-page complaint, the restaurant chain alleges that Micros sold and installed point-of-sale (POS) and credit card systems in its Nacogdoches, Texas, location in 2001 and that it was subject to many federal standards regulating credit card transactions and security. Micros had full control over the system and its security, the lawsuit alleges, and "explicitly instructed Plaintiff not to tamper with, maintain or service the system in any way."
The federal standards and separate payment card industry data security standards imposed by the major credit card companies and related financial institutions provided "requirements for point-of-sale systems, including requirements for protecting cardholder data, developing and maintaining secure systems and applications, restricting access to cardholder data, tracking and monitoring access to network resources and cardholder data, and regularly testing security systems and processes," according to the lawsuit.
Don't be Afraid of the "Ghost" of Imaging Past
Download Now
Despite those requirements, the suit alleges, Micros "never advised Plaintiff that the system was not compliant with these statutes and standards even though Defendant was aware that the system was not compliant."
In 2006, officials from Cotton Patch Cafe "inquired about the system's compliance with these uniform standards" and Micros represented that the system "complied or would be made to comply with all standards and particularly with respect to credit card data storage and encryption," according to the lawsuit. "Indeed, Defendant provided services purportedly to inspect and upgrade the system and produced purported 'evidence' that the system was secure and met the required security standards."
In the meantime, Micros "continued to maintain complete control of the system, even replacing a server, continued regular service and maintenance of the system, and continued to fail to advise Plaintiff that the system was not compliant with prevailing standards," the complaint alleges. "This conduct occurred even though Plaintiff's use of a non-compliant system subjected it to possible fines from credit card companies and exposure to theft of its customers' credit card data. Such conduct also occurred even though Defendant was aware of data breaches victimizing other customers with the same type of point-of-sale system and remote access of cardholder data by third parties and subjected Plaintiff to charges and fines from credit card companies and related financial institutions."
The problem became worse in March 2006, according to the lawsuit, when Micros allegedly sold the restaurant a new server and upgraded software installed in the Nacogdoches location "with malware already placed on the system and configured to store full track data in system page files, all in violation of known standards."
That malware "provided the necessary means for an attacker to take control of the Server, install additional malware, identify customer credit card data (including full track data), and exfiltrate that data," the lawsuit continued. The restaurant didn't know the server contained malware and Micros "failed to notify Plaintiff of the malware or prevent its installation."
The malware infection "comprised serious flaws in the Server and directly contributed to the data security breach at Plaintiff's Nacogdoches restaurant," which led to the theft of customer information by electronic intruders from 2006 to 2007, according to the lawsuit. Micros "knew or should have known of the system's failure to meet payment card industry standards despite the services provided and was aware of the potential for harm for system users, as other businesses using similar Micros systems had experienced cardholder data thefts."
The number of customers affected by the alleged breach is not mentioned in the documents.
The lawsuit alleges that Micros' action violate the Texas Deceptive Trade Practices Act "by taking advantage of Plaintiff's lack of knowledge, ability, experience, or capacity to a grossly unfair degree" through the installation and maintenance of the system. "Beginning no later than 2006, Defendant stated and continued to reassure Plaintiff that Defendant would ensure that payment card industry standards concerning security of customer data would be met and were in fact met. Defendant's statements were untrue. Defendant further acted deceptively in failing to disclose Plaintiff's non-compliance and ongoing criminal investigations involving the failures of its products."
The lawsuit also claims that Micros was negligent in servicing the equipment it sold to the Cotton Patch Café and that the vendor negligently provided a defective server that was infected with malware. Cotton Patch Café also sued Micros for negligent misrepresentation, gross negligence and for fraud by nondisclosure.
