Sonic Drive-In Suffers Massive Data Breach Impacted Millions

A massive data breach at the Sonic Drive-In fast-food chain could reportedly have affected millions of customers, compromising sensitive personal data like credit and debit card details.

It was Brian Krebs, who runs the cyber security website KrebsOnSecurity, who first detected the possibility of such a data breach and then reported it to Sonic. A post on KrebsonSecurity dated 26 September 2017 says- “The first hints of a breach at Oklahoma City-based Sonic came last week when I began hearing from sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic.”

Brian Krebs then directed several of these banking industry sources to take a look at a brand new batch of some five million credit/debit card accounts that were first put up for sale on Sept. 18 in a credit card theft bazaar called Joker’s Stash. This led to the discovery of the possibility of a data breach. Says Krebs- “Sure enough, two sources who agreed to purchase a handful of cards from that batch of accounts on sale at Joker’s discovered they all had been recently used at Sonic locations.”

Krebs next phoned and intimated Sonic; in an hour Sonic responded saying that “…it was indeed investigating “a potential incident” at some Sonic locations.”

Sonic even issued a statement to KrebsOnSecurity; the statement says- “Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC. The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”

Since the investigation is in its early stages, it’s not known how many stores or which ones have been affected by the data breach.

The KrebsOnSecurity post, however, discusses something that could be a cause of concern; it says – “The accounts apparently stolen from Sonic are part of a batch of cards that Joker’s Stash is calling “Firetigerrr,” and they are indexed by city, state and ZIP code. This geographic specificity allows potential buyers to purchase only cards that were stolen from Sonic customers who live near them, thus avoiding a common anti-fraud defense in which a financial institution might block out-of-state transactions from a known compromised card.”

Krebs also notes that the batch of five million cards at Joker’s Stash might have for sale cards not just of Sonic customers, but of cards that have perhaps been stolen from other eatery brands compromised by the same hackers.

Sonic, headquartered in Oklahoma City, has nearly 3,600 locations across 45 U.S. States.