Sonic publicly confirms payment card breach at drive-in locations

Doesn’t comment on number of customers potentially affected…

Sonic publicly confirms payment card breach at drive-In locations

American fast food restaurant chain Sonic has publicly confirmed a payment card breach affecting some of its Drive-In locations.

On 4 October 2017, the Oklahoma City headquarters of the chain released a statement acknowledging the incident:

"Sonic Drive-In has discovered that credit and debit card numbers may have been acquired without authorization as part of a malware attack experienced at certain Sonic Drive-In locations. Your trust in Sonic is important to us and we sincerely regret any inconvenience this may cause."

The breach first came to light in late September. At that time, multiple financial institutions detected a pattern of fraud on payment cards that customers had previously used at Sonic Drive-In locations.

Investigative journalist Brian Krebs did some digging around and found approximately five million payment cards included in a "Firetigerrr" offering posted to the credit card theft bazaar Joker's Stash. Those card details were indexed by city, state, and zip code, most likely in an effort to help interested parties purchase local details and thereby not raise a red flag by conducting out-of-state transactions.

Firetigerrr 580x581

This batch of some five million cards put up for sale today (Sept. 26, 2017) on the popular carding site Joker’s Stash has been tied to a breach at Sonic Drive-In. The first batch of these cards appear to have been uploaded for sale on Sept. 15.

Here's what Sonic told Brian Krebs at the time:

"Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC. The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able."

The fast food chain is offering affected customers the now-all-too-commonplace one year subscription to an identity monitoring service. It's also urging them to review their financial activity and consider working with TransUnion, Experian, and Equifax to place a fraud alert or security freeze on their credit files.

Even so, Sonic hasn't provided any details about how the malware infected its systems or what it's doing to make sure something like this breach doesn't happen again. Customers' trust is everything in the age of digital security events; so too is doing everything to restore it in the wake of an incident. Let's hope Sonic provides additional details soon.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

One Response

  1. Mark Jacobs

    October 6, 2017 at 5:04 pm #

    I can just hear Mike Reid's posthumous voice ringing in my ears, "Cor Blimey!" and the associated face palm. Absolutely atrocious, especially for Americans, recently.

Leave a Reply