Texas Eatery Chain Sues Micros Over Credit Card Payment System
The malware infection "comprised serious flaws in the Server and directly contributed to the data security breach at Plaintiff's Nacogdoches restaurant," which led to the theft of customer information by electronic intruders from 2006 to 2007, according to the lawsuit. Micros "knew or should have known of the system's failure to meet payment card industry standards despite the services provided and was aware of the potential for harm for system users, as other businesses using similar Micros systems had experienced cardholder data thefts." The number of customers affected by the alleged breach is not mentioned in the documents. The lawsuit alleges that Micros' action violate the Texas Deceptive Trade Practices Act "by taking advantage of Plaintiff's lack of knowledge, ability, experience, or capacity to a grossly unfair degree" through the installation and maintenance of the system. "Beginning no later than 2006, Defendant stated and continued to reassure Plaintiff that Defendant would ensure that payment card industry standards concerning security of customer data would be met and were in fact met. Defendant's statements were untrue. Defendant further acted deceptively in failing to disclose Plaintiff's non-compliance and ongoing criminal investigations involving the failures of its products." The lawsuit also claims that Micros was negligent in servicing the equipment it sold to the Cotton Patch Café and that the vendor negligently provided a defective server that was infected with malware. Cotton Patch Café also sued Micros for negligent misrepresentation, gross negligence and for fraud by nondisclosure.Louise Casamento, vice president of marketing and a spokesperson for Micros, could not immediately be reached for comment on July 15 about the lawsuit. In an interview with Baltimore Business Journal, Casamento "called the allegations in the lawsuit 'frivolous.' Micros will vigorously defend itself," she told the Journal. In a statement, Larry Marshall, president of Cotton Patch Cafe, said that the restaurant "had been using Micros Systems to install and manage our point-of-sale system since our initial installation, and a critical element of that was ensuring the system met security guidelines. Unfortunately, it did not, and its failure resulted in significant negative impact on us and our customers. We discovered several of Micros' clients experienced similar security breaches, we were not made aware of the problem and Micros knowingly sold software that did not meet industry standards. They left the small guys out there to fend for themselves." Marshall told eWEEK through a spokesman that he was unavailable for comment. Cotton Patch Café opened in 1989 and has 41 locations in Texas, Oklahoma and New Mexico, according to the company. The restaurant chain is seeking damages from Micros for penalty fees imposed by the financial institutions, consequential damages including loss of goodwill and lost profits, treble damages and exemplary damages, according to the company.
Micros "concealed from or failed to disclose to Plaintiff that the system was unprotected and did not comply with applicable data security standards" and that the software on the server "did not comply with applicable data security standards," the lawsuit alleges. "Defendant also failed to disclose that its personnel were not trained on compliance issues and were not competent in compliance issues."