Sonic Drive-In Breach Could See Info of Millions of Credit, Debit Cards Stolen

Drive-in restaurant chain Sonic is the latest major company to be the target of a significant data breach.

Fast-food chain Sonic Drive-In, with nearly 3,600 locations in 45 U.S. states has admitted to a data breach affecting a yet-unknown number of payment systems. According to Krebson Security, the data breach could have possibly led to a major sale of millions of stolen credit and debit card details on underground cybercrime forums.

The company has said it is unclear as to just how many restaurants or customers may have been impacted.

A statement from Sonic reads:

We are working to understand the nature and scope of this issue. While law enforcement limits the information we can share, we will communicate additional information as we are able.

In his blog, Brian Krebs revealed he first picked up patterns of a major breach after a pattern of fraudulent transactions on cards previously used at Sonic restaurants. Krebs then cross-referenced a new batch of some five million credit and debit card accounts put up for sale on a underground forum, with banking sources who confirmed they were recently used at Sonic locations.

Upon contacting Sonic, the company soon responded that it was investigating a “potential incident” at store locations.

In responding to Krebs’ security blog, Sonic stated:

Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC… We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.

The hackers are likely to have gained remote access to point-of-sale card machines at Sonic store locations. The incident sees parallels with another major credit breach at fast-food chain Wendy’s. Wendy was having a particularly hard time in fixing the situation as the majority of the breached locations were independently-owned franchises rather than corporate-owned outlets.

‘The Wendy’s breach was extremely costly for card-issuing banks and credit unions, which were forced to continuously re-issue customer cards that kept getting re-compromised every time their customers went back to eat at another Wendy’s,” Krebs explained.

Indeed, some 90% of Sonic locations in the country are also franchised, which leaves room the possibility of another fiasco.

Image credit: Flickr.