P.F. Chang’s China Bistro has been hit with a class action lawsuit tied to the recent data breach.
The lawsuit was filed in U.S. District Court in Illinois by plaintiff John Lewert. A resident of Illinois, Lewert is seeking monetary and statutory damages as well as injunctive and declaratory relief.
According to the lawsuit, Lewert went to a P.F. Chang’s restaurant in Northbrook, Illinois, on or about April 3, 2014, and used a debit card to make a purchase. This entered him into “an implied contract” with the restaurant that included the protection of his debit card information. The breach, the lawsuit contends, violated that contract by exposing his information.
“P.F. Chang’s failure to comply with reasonable security standards provided P.F. Chang’s with short-term and fleeting benefits in the form of saving on the costs of compliance, but at the expense and to the severe detriment of P.F. Chang’s own customers – including Class members here – who have been subject to the Security Breach or otherwise have had their financial information placed at serious and ongoing risk,” according to the suit.
“P.F. Chang’s allowed widespread and systematic theft of its customers’ financial information,” the suit continues. “Defendant’s actions did not come close to meeting the standards of commercially reasonable steps that should be taken to protect customers’ financial information.”
P.F. Chang’s did not respond to a request from SecurityWeek for comment about the lawsuit.
The restaurant confirmed the breach, which may have affected as many as 7 million cards, last month after reports of the situation became public. So far, details about how the breach happened have not been publicly explained, but the company contacted law enforcement and began an investigation after being notified of the situation.
In light of the investigation, the company began using manual imprinting devices to process credit and debit card payments at P.F. Chang’s China Bistro restaurants in the continental United States.
Though the company has stated it learned of the breach June 10, 2014, there have been reports that the breach may have gone back to September 2013.