Home page logo

dataloss logo Data Loss mailing list archives

Investigation, Class Action Lawsuit, Cast Shadow Over Radiant Systems and Distributor
From: security curmudgeon <jericho () attrition org>
Date: Wed, 25 Nov 2009 02:44:33 +0000 (UTC)


Secret Service Investigation, Class Action Lawsuit, Cast Shadow Over 
Radiant Systems and Distributor

Atlanta Company and Distributor Accused of Negligence in Widespread 
Identity Theft at Restaurants

PR Log (Press Release)  Nov 23, 2009  Secret Service Investigation and 
Class Action Lawsuit Cast Shadow Over Radiant Systems and Louisiana 

Atlanta Company and Distributor Accused of Negligence in Widespread 
Identity Theft at Restaurants

ATLANTA, November 23, 2009  Forensic audit investigations conducted by 
credit company-approved experts concluded that the Louisiana-based 
distributor for Radiant Systems, Inc. (http://www.radiantsystems.com/) 
products violated data protocols that directly contributed to security 
breaches at restaurants in Louisiana and Mississippi.   This finding of 
alleged negligence is at the heart of a collective action lawsuit filed by 
seven restaurants claiming that hundreds of customers had their identities 
stolen as a result of poor business practices and faulty software from 
Radiant and Computer World (the distributor).

The restaurants are seeking millions of dollars in damages from Radiant 
and Computer World.

Our clients are restaurants. They are food experts, not technologists. 
When major players in the hospitality industry such as Radiant Systems and 
its distributors say their software and business practices are PCI-DSS 
compliant, our clients trust them, said Charles Hoff of the Law Offices of 
Charles Y. Hoff, PC, general counsel for the Georgia Restaurant 
Association and one of the attorneys acting as a legal advisor to the 
restaurants in the lawsuit.

Hoff continued: When those claims of compliance and proper security 
practices turn out to be false, the restaurants are left to suffer huge 
financial losses due to financial penalties imposed by the credit card 
companies. Their reputations are tarnished. Were determined not to let 
Radiant and Computer World simply walk away from their responsibilities.

PCI-DSS is a comprehensive set of technological requirements and consumer 
protections created by the major credit card companies to safeguard point 
of sale (POS) systems from hackers and protect consumers from identify 
theft. POS system vendors must follow these standards, and any business 
accepting credit cards for payments (such as restaurants) are 
contractually obligated to use equipment and software from PCI-DSS 
compliant vendors.  The penalties for retailers that have their systems 
breached can be massive, even if the problems are the fault of the 
hardware and software vendors.

A special investigation by the United States Secret Service (the agency 
responsible for investigating cases of credit card fraud and identity 
theft) was also conducted given the multitude of Radiant POS systems 
subject to security breaches throughout Louisiana and Mississippi and the 
findings by the forensic reports that Computer World  exclusive area 
distributor of Radiant Systems Aloha POS software - violated PCI-DSS 
provisions. Among the findings:

1)   Restaurants were sold earlier model POS systems although they were 
represented to be new models;
2)   Computer World used a remote access system that did not have adequate 
security patches  a violation of PCI-DSS standards;
3)   Computer World used the same password for at least 200 operators in 
violation of PCI standards;
4)   The distributor failed to remove prior sensitive customer credit data 
upon installation of Radiant POS systems, again in violation of PCI 

As a result, the lawsuits plaintiffs are alleging that:
    Radiant Systems negligence and failure to either instruct or monitor 
Computer Worlds actions led to systems being compromised and leaving the 
plaintiffs customers vulnerable to identity theft and fraud.
    That Radiant and Computer World were warned by Visa in 2007 that their 
programs were non-compliant. (The restaurants were unaware of these 
warnings at the time they purchased the Aloha system.)
    Once the breaches occurred and cases of identity theft and fraud began 
to appear, Visa, MasterCard and the card processing companies invoked 
their contracts and directly penalized the restaurants for the actions of 
Radiant and Computer World. The plaintiffs were hit with huge fines, 
required to pay for forensic audits to trace the problems, reimbursement 
of fraud costs to the credit card companies and payments for re-issuance 
of credit cards to affected individuals.

The lawsuit is seeking compensation to repay the penalties levied by the 
credit card companies and the massive costs to track down and repair the 
POS system problems. According to the attorneys, damages could run well 
into seven figures.

The restaurants have filed their lawsuit in the 15th Judicial District 
Court of Louisiana in Lafayette Parish and will be seeking to raise 
awareness of the chaos and financial turmoil caused by companies such as 
Computer World and Radiant. We want other restaurants nationally to be 
aware of the hidden dangers posed by these technology companies and the 
unfair penalties imposed by the credit card companies, said Shiel 
Gallagher of Gallagher & Gupta, PC, in Chicago, the second attorney 
leading the lawsuit.  These huge companies shouldnt have the power to 
destroy these restaurants. Its a classic David-versus-Goliath story and 
were going to do what we can to protect what these small business owners 
have struggled to build.
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.

  By Date           By Thread  

Current thread:
  • Investigation, Class Action Lawsuit, Cast Shadow Over Radiant Systems and Distributor security curmudgeon (Nov 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]