American fast food restaurant chain Sonic has publicly confirmed a payment card breach affecting some of its Drive-In locations.
On 4 October 2017, the Oklahoma City headquarters of the chain released a statement acknowledging the incident:
“Sonic Drive-In has discovered that credit and debit card numbers may have been acquired without authorization as part of a malware attack experienced at certain Sonic Drive-In locations. Your trust in Sonic is important to us and we sincerely regret any inconvenience this may cause.”
The breach first came to light in late September. At that time, multiple financial institutions detected a pattern of fraud on payment cards that customers had previously used at Sonic Drive-In locations.
Investigative journalist Brian Krebs did some digging around and found approximately five million payment cards included in a “Firetigerrr” offering posted to the credit card theft bazaar Joker’s Stash. Those card details were indexed by city, state, and zip code, most likely in an effort to help interested parties purchase local details and thereby not raise a red flag by conducting out-of-state transactions.
Here’s what Sonic told Brian Krebs at the time:
“Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC. The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”
The fast food chain is offering affected customers the now-all-too-commonplace one year subscription to an identity monitoring service. It’s also urging them to review their financial activity and consider working with TransUnion, Experian, and Equifax to place a fraud alert or security freeze on their credit files.
Even so, Sonic hasn’t provided any details about how the malware infected its systems or what it’s doing to make sure something like this breach doesn’t happen again. Customers’ trust is everything in the age of digital security events; so too is doing everything to restore it in the wake of an incident. Let’s hope Sonic provides additional details soon.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.