Sonic Drive-In Data Breach Potentially Exposes 5m Customer Credit Cards

Roland Moore-Colyer,

The stolen credit card details are up for sale in a cyber thief’s bazaar

A data breach of the payment system belonging to US fast-food chain Sonic Drive-In may have resulted in up to five million customers having their credit card details stolen. 

With stores at 3.600 locations across 45 US states, Sonic Drive-In has a significant customer base and thus a treasure trove of data, which according to security expert Brian Krebs, is potentially being sold in a fire sale in “shadowy underground cyber crime stores”. 

The data breach, which appears to be ongoing, first showed its signs at an Oklahoma City-based Sonic Drive-In last week, with Krebs noting that sources had told him about a number of fraudulent transactions  cropping up on cards that had previously been used st the fast-food joints. 

Sonic Drive-In did inform Krebs about the security breach and said that the company that processes its credit card transactions spotted “unusual security regarding credit cards being used at Sonic”. 

Sonic Drive-In

Cyber crime pays 

Given Sonic Drive-In uses a single point-of-sale system across all its stores, the data breach has the potential to affect all of them and the customers that have made credit card payment in them. 

“We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor,” Sonic Drive-In said in a statement to Krebs. “While law enforcement limits the information we can share, we will communicate additional information as we are able.”

Do passwords have a future in cybersecurity?

View Results

Loading ... Loading ...

The stolen details are now being sold in a cyber thief’s online bazaar called Joker’s Stash, though Krebs said it is unclear if all the details are from the Sonic Drive-In breach or include those swiped from other companies. 

One of the reasons this breach is particularly nasty is due to many companies across the US being slow to adopt more secure chip and PIN systems rather then rely on legacy magnetic card readers and signatures that allow for criminals to more easily clone cards and steal data. 

Breaches of financial and personal details are becoming more common place yet are also exacting a greater toll on companies that fail to combat them, as seen with the Equifax data breach which has seen the company’s chief executive resign his post

Do you know all about security in 2017? Try our quiz!