Sonic publicly confirms payment card breach at drive-in locations

Doesn’t comment on number of customers potentially affected…

David bisson
David Bisson

Sonic publicly confirms payment card breach at drive-In locations

American fast food restaurant chain Sonic has publicly confirmed a payment card breach affecting some of its Drive-In locations.

On 4 October 2017, the Oklahoma City headquarters of the chain released a statement acknowledging the incident:

“Sonic Drive-In has discovered that credit and debit card numbers may have been acquired without authorization as part of a malware attack experienced at certain Sonic Drive-In locations. Your trust in Sonic is important to us and we sincerely regret any inconvenience this may cause.”

Sign up to our free newsletter.
Security news, advice, and tips.

The breach first came to light in late September. At that time, multiple financial institutions detected a pattern of fraud on payment cards that customers had previously used at Sonic Drive-In locations.

Investigative journalist Brian Krebs did some digging around and found approximately five million payment cards included in a “Firetigerrr” offering posted to the credit card theft bazaar Joker’s Stash. Those card details were indexed by city, state, and zip code, most likely in an effort to help interested parties purchase local details and thereby not raise a red flag by conducting out-of-state transactions.

Firetigerrr 580x581
This batch of some five million cards put up for sale today (Sept. 26, 2017) on the popular carding site Joker’s Stash has been tied to a breach at Sonic Drive-In. The first batch of these cards appear to have been uploaded for sale on Sept. 15.

Here’s what Sonic told Brian Krebs at the time:

“Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC. The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”

The fast food chain is offering affected customers the now-all-too-commonplace one year subscription to an identity monitoring service. It’s also urging them to review their financial activity and consider working with TransUnion, Experian, and Equifax to place a fraud alert or security freeze on their credit files.

Even so, Sonic hasn’t provided any details about how the malware infected its systems or what it’s doing to make sure something like this breach doesn’t happen again. Customers’ trust is everything in the age of digital security events; so too is doing everything to restore it in the wake of an incident. Let’s hope Sonic provides additional details soon.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Sonic publicly confirms payment card breach at drive-in locations”

  1. Mark Jacobs

    I can just hear Mike Reid's posthumous voice ringing in my ears, "Cor Blimey!" and the associated face palm. Absolutely atrocious, especially for Americans, recently.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.