Sonic Drive-In Hit By Breach, Millions of Cards Potentially Affected

Written by

Sonic Drive-In, the US fast-food chain where car-hops are still a thing, is the latest victim of a security breach affecting an unknown number of store payment systems—but it could be millions of victims.

Sonic has confirmed that they have been investigating unusual payment card activity since being informed by their credit card processor last week.

First disclosed by independent researcher Brian Krebs, the compromise came to light via a pattern of fraudulent transactions on cards that had previously been used at one of Sonic’s 3,600 locations.  

“I began hearing from sources at multiple financial institutions,” Krebs noted in a post. Those cards were then found to be part of a cache of five million credit and debit card accounts that were first put up for sale in mid-September on a dark web site called Joker’s Stash, all indexed by city, state and ZIP code. They're going at a premium, too: between $25 and $50 per card.

“I should note that it remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs said. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”

Christi Woodworth, vice president of public relations at Sonic, confirmed the incident and told Krebs that the investigation hasn’t yet uncovered how many cards or which of its stores may be impacted.

The attack on Sonic is the latest fast-food hack, following the Wendy’s data breach earlier this year. It’s also part of a pattern in other ways.

 “The Sonic breach is another in a long line of retail breaches stemming from an attack on a third-party,” said Fred Kneip, CEO at CyberGRX, via email. “The Target hackers accessed data through an HVAC vendor, Home Depot and Hilton Hotels were breached through a point-of-sale vendor, and now hackers have breached Sonic by exploiting a credit card processing vendor. Organizations with expansive digital ecosystems need to understand that their attack surface extends to third parties and that they will bear the financial and reputational consequences of vulnerabilities across their network of vendors, partners and suppliers. By performing proper risk assessments on third parties within their digital ecosystem, merchants can uncover weak security controls and work with the vendor to remediate these issues before vulnerabilities are exploited.”

Those that recently visited a Sonic Drive-In should keep an eye out for suspicious account behavior, monitor financials regularly, check bank statements often and look out for transactions that one doesn’t recognize.

“Be proactive after hearing about a breach. Don’t wait to be notified by a company whose services you use, if they suffer a data breach. Take matters into your own hands. If you think a company you use has seen customer data compromised, contact your bank and look through your records to see if you were affected,” Gary Davis, chief consumer security evangelist at McAfee, said via email.


Have you registered for Infosecurity North America taking place in Boston, 04-05 October 2017? For the full agenda, speaker list and more information, please visit https://www.infosecurity-magazine.com/conferences/infosecurity-north-america/


What’s hot on Infosecurity Magazine?