Texas Restaurant Chain Sues Micros Over Malware Infection

security malware - Shutterstock: © Marcio Jose Bastos Silva

The restaurant chain alleges that Micros delivered a credit card transaction system containing malware that stole customer data

Micros Systems is being sued by a Texas-based restaurant chain, which alleges that the IT company sold and installed a malware-infected credit card transaction system that captured personal data from the restaurant’s customers.

The trial in the case opened on 15 July in US District Court in Baltimore, pitting the Grapevine, Texas-based Cotton Patch Cafe chain against Columbia, Maryland-based Micros.

Non-compliant systems

In its 12-page complaint, the restaurant chain alleges that Micros sold and installed point-of-sale (POS) and credit card systems in its Nacogdoches, Texas location in 2001 and that it was subject to many federal standards regulating credit card transactions and security. Micros had full control over the system and its security, the lawsuit alleges, and “explicitly instructed Plaintiff not to tamper with, maintain or service the system in any way”.

The federal standards and separate payment card industry data security standards imposed by the major credit card companies and related financial institutions provided “requirements for point-of-sale systems, including requirements for protecting cardholder data, developing and maintaining secure systems and applications, restricting access to cardholder data, tracking and monitoring access to network resources and cardholder data, and regularly testing security systems and processes”, according to the lawsuit.

thDespite those requirements, the suit alleges, Micros “never advised Plaintiff that the system was not compliant with these statutes and standards even though Defendant was aware that the system was not compliant”.

In 2006, officials from Cotton Patch Cafe “inquired about the system’s compliance with these uniform standards” and Micros represented that the system “complied or would be made to comply with all standards and particularly with respect to credit card data storage and encryption”, according to the lawsuit. “Indeed, Defendant provided services purportedly to inspect and upgrade the system and produced purported ‘evidence’ that the system was secure and met the required security standards.”

Malware attack

In the meantime, Micros “continued to maintain complete control of the system, even replacing a server, continued regular service and maintenance of the system, and continued to fail to advise Plaintiff that the system was not compliant with prevailing standards,” the complaint alleges.

“This conduct occurred even though Plaintiff’s use of a non-compliant system subjected it to possible fines from credit card companies and exposure to theft of its customers’ credit card data. Such conduct also occurred even though Defendant was aware of data breaches victimising other customers with the same type of point-of-sale system and remote access of cardholder data by third parties and subjected Plaintiff to charges and fines from credit card companies and related financial institutions.”

The problem became worse in March 2006, according to the lawsuit, when Micros allegedly sold the restaurant a new server and upgraded software installed in the Nacogdoches location “with malware already placed on the system and configured to store full track data in system page files, all in violation of known standards”.

That malware “provided the necessary means for an attacker to take control of the Server, install additional malware, identify customer credit card data (including full track data), and exfiltrate that data”, the lawsuit continued.

The restaurant didn’t know the server contained malware and Micros “failed to notify Plaintiff of the malware or prevent its installation”.

Customer data theft

The malware infection “comprised serious flaws in the Server and directly contributed to the data security breach at Plaintiff’s Nacogdoches restaurant”, which led to the theft of customer information by electronic intruders from 2006 to 2007, according to the lawsuit.

Micros “knew or should have known of the system’s failure to meet payment card industry standards despite the services provided and was aware of the potential for harm for system users, as other businesses using similar Micros systems had experienced cardholder data thefts”.

The number of customers affected by the alleged breach is not mentioned in the documents.

The lawsuit alleges that Micros’ action violate the Texas Deceptive Trade Practices Act “by taking advantage of Plaintiff’s lack of knowledge, ability, experience, or capacity to a grossly unfair degree” through the installation and maintenance of the system.

“Beginning no later than 2006, Defendant stated and continued to reassure Plaintiff that Defendant would ensure that payment card industry standards concerning security of customer data would be met and were in fact met. Defendant’s statements were untrue. Defendant further acted deceptively in failing to disclose Plaintiff’s non-compliance and ongoing criminal investigations involving the failures of its products.”

The lawsuit also claims that Micros was negligent in servicing the equipment it sold to the Cotton Patch Café and that the vendor negligently provided a defective server that was infected with malware. Cotton Patch Café also sued Micros for negligent misrepresentation, gross negligence and for fraud by nondisclosure.

Micros “concealed from or failed to disclose to Plaintiff that the system was unprotected and did not comply with applicable data security standards” and that the software on the server “did not comply with applicable data security standards”, the lawsuit alleges. “Defendant also failed to disclose that its personnel were not trained on compliance issues and were not competent in compliance issues.”

Allegations ‘frivolous’

Louise Casamento, vice president of marketing and a spokesperson for Micros, could not immediately be reached for comment about the lawsuit.

In an interview with Baltimore Business Journal, Casamento called the allegations in the lawsuit “frivolous”.

“Micros will vigorously defend itself,” she told the Journal.

In a statement, Larry Marshall, president of Cotton Patch Cafe, said that the restaurant “had been using Micros Systems to install and manage our point-of-sale system since our initial installation, and a critical element of that was ensuring the system met security guidelines. Unfortunately, it did not, and its failure resulted in significant negative impact on us and our customers. We discovered several of Micros’ clients experienced similar security breaches, we were not made aware of the problem and Micros knowingly sold software that did not meet industry standards. They left the small guys out there to fend for themselves.”

Marshall told eWEEK through a spokesman that he was unavailable for comment.

Cotton Patch Café opened in 1989 and has 41 locations in Texas, Oklahoma and New Mexico, according to the company. The restaurant chain is seeking damages from Micros for penalty fees imposed by the financial institutions, consequential damages including loss of goodwill and lost profits, treble damages and exemplary damages, according to the company.

Are you a security pro? Try our quiz!

Originally published on eWeek.