Class-Action Lawsuit Filed in Dickey's Data Breach

Plantiffs have filed a class-action lawsuit against Dickey's Barbecue Restaurants Inc. after credit card data was released on the dark web for 3 million customers last month.

The case, Diczhazy et al. v. Dickey’s Barbecue Restaurants Inc. et al, was filed Nov. 9 in US District Court – Southern District of California.

The lawsuit alleges violations of the California Consumer Privacy Act (CCPA) and negligence.

Several cyber-security researchers including Krebs, Gemini Advisory and Q6 Cyber reported on the “BlazingSun” data breach in mid-October.  According to the filing, the plantiffs allege the data breach would have continued without Dickey’s detection had these cyber security firms not issued public reports on the Joker’s Stash data for sale.

Dickey’s, according to the lawsuit, has not notified customers whose credit card numbers and personal identifying information (PII) were stolen and sold, a violation of CCPA. (When contacted by HT, Dickey's says the investigation is ongoing.)  “As a result, affected consumers have not taken prophylactic action to protect their identity and financial accounts, and will continue to suffer ongoing and imminent risk to their personal information and assets,” the lawsuit alleges.

Gemini believes the payment transactions at 150 of Dickey’s franchises locations were processed via the outdated magstripe method, which is prone to malware attacks. 

"We are taking this incident very seriously and an investigation is ongoing," Dickey's tells HT. "We are currently focused on determining the locations affected and time frames involved. Dickey’s does not otherwise comment on pending litigation."