Sonic Franchisee, Affiliate Hit with Class Action Over Data Breach Reportedly Affecting Thousands of Restaurant Employees

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action alleges that potentially thousands of current and former Sonic Drive-In employees have had their personal information exposed in a data breach Sweetwater Franchise Group, LLC and Alford, Holloway, & Smith, PLLC (AHS) failed to prevent.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 35-page case explains that public accounting firm AHS provides financial services for Sonic franchisee Sweetwater, which operates approximately 30 locations throughout Florida, Mississippi and Texas. On February 23 of this year, AHS discovered that an unauthorized party had accessed its network and stolen files that contained private data belonging to employees who have worked at one of Sweetwater’s Sonic locations within the past decade, the complaint claims.

According to the lawsuit, the cyberattack compromised employees’ names and Social Security numbers.

The filing argues that the incident was a direct result of the defendants’ failure to properly safeguard the personal information by implementing adequate cybersecurity measures. Per the suit, AHS received employees’ unencrypted data from Sweetwater, which it then stored in an “Internet-accessible environment.”

“The unencrypted [personally identifiable information] of [the plaintiff] and Class Members may end up for sale on the dark web, or simply fall into the hands of companies that will use the detailed [personally identifiable information] for targeted marketing without the approval of [the plaintiff] and Class Members,” the case says, stressing that victims now face a significant risk of identity theft and fraud due to the defendants’ negligence.

The plaintiff, whose employment at Sweetwater’s Sonic restaurant in Wauchula, Florida ended about 10 years ago, says she received a notice on July 17 informing her that her information was involved in the data breach.

Not only was the letter sent by AHS unreasonably delayed, but it also failed to disclose the specific vulnerabilities and root causes of the intrusion, the complaint contends.

The filing alleges that AHS’s and Sweetwater’s handling of employee data was out of line with industry standards and has subjected those whose information was exposed to “years of constant surveillance of their financial and personal records, monitoring, and loss of rights.”

To make matters worse, the defendants “knew or should have known that AHS’s computer systems were a target for cybersecurity attacks, including attacks involving data theft, because warnings were readily available and accessible via the internet,” the suit claims.

The lawsuit looks to represent anyone whose personally identifiable information was actually or potentially compromised in the data breach that is the subject of the notice AHS sent to the plaintiff and class members on or around July 17, 2023.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.