Attention fans of tater tots, limeades and red and white-striped peppermints, you may want to check your credit card for suspicious activity.
According to Krebs on Security, Sonic is investigating a data breach that may affect millions of customers.
Sonic Drive-In, a fast-food chain with nearly 3,600 locations across 45 U.S. states, has acknowledged a breach affecting an unknown number of store payment systems. The ongoing breach may have led to a fire sale on millions of stolen credit and debit card accounts that are now being peddled in shadowy underground cybercrime stores, KrebsOnSecurity has learned.
The first hints of a breach at Oklahoma City-based Sonic came last week when I began hearing from sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic.
I directed several of these banking industry sources to have a look at a brand new batch of some five million credit and debit card accounts that were first put up for sale on Sept. 18 in a credit card theft bazaar previously featured here called Joker’s Stash...
Sure enough, two sources who agreed to purchase a handful of cards from that batch of accounts on sale at Joker’s discovered they all had been recently used at Sonic locations.
Armed with this information, I phoned Sonic, which responded within an hour that it was indeed investigating “a potential incident” at some Sonic locations.
“Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC,” reads a statement the company issued to KrebsOnSecurity. “The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”
Wow. Way to stay on top of things, Sonic. I always figured Love's or Braum's would be the first Oklahoma-based retailer to have a massive security breach. That’s going to make for an awkward commercial with the Sonic guys.
“Do you want a Sonic Blast?”
"Hold on. I just got an alert from my bank."
"What's it say?"
"I have a negative balance on my account!"
"I guess that means I'm paying again???"
"Yes, and I'd suggest paying with cash!"
Also, can someone remind sonic we're living in a twenty first century, and educate them a little on debit and credit card data tokenization? Please?