Millions of credit and debit cards could be at risk thanks to an alleged security breach at Sonic Drive-In, according to KrebsOnSecurity. The outlet is reporting that an ongoing breach “may have led to a fire sale on millions of stolen credit and debit card accounts that are now being peddled in shadowy underground cybercrime stores.”

Sonic has about 3,600 locations in 45 states, with 90 percent or so representing franchised stores. KrebsOnSecurity was alerted by multiple financial institutions after they noticed a pattern of fraudulent transactions on cards previously used at Sonic. The issue turned out to be a massive one.

The company said it directed several of the banking sources to a batch of about five million credit and debit card accounts that were put up for sale on September 18 in a “credit card theft bazaar” called Joker’s Stash. Two sources who then agreed to purchase a handful of cards from the batch discovered they had all recently been used at Sonic restaurants. It is unclear, however, whether Sonic is the only company involved. The report said it’s likely, although unconfirmed, that the Sonic cards are mixed in with others stolen by the same cyber attackers.

Sonic told KrebsOnSecurity it was investigating “a potential incident.”

Here is the statement Sonic sent to KrebsOnSecurity:

“Our credit card processor informed us last week of unusual activity regarding credit cards used at Sonic. The security of our guests’ information is very important to Sonic. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”

Travis Smith, principal security researcher at cybersecurity firm Tripwire, said quick-service chains remain a prime target.

“The best advice I can give to companies in possession of point of sale systems is to isolate and lock down the devices as much as possible,” he said in a statement. “Point-of-sale terminals are typically low change system environments. Implementing whitelisting technologies and closely monitoring for any change can both prevent and detect any potential attacks.”

“In the event of a compromised terminal, again these systems talk to predictable destinations both internally on the network as well as externally on the internet,” he added. “Isolating the network and only allowing communication to approved destinations will greatly reduce the overall attack surface of these devices.”

If true, Sonic will join a list of restaurant chains that have dealt with breaches in recent months.

In May, Chipotle announced a security issue hit “most” of its locations. Arby’s said in February that potentially more than 355,000 customers’ credit cards could have been compromised.

More than a thousand Wendy’s locations were impacted by a major card breach in July 2016, an issue that proved costly for card-issuing banks and credit unions, KrebsOnSecurity points out. Wendy’s needed months to fix the situation, partly because of the brand’s large corporate-owned structure. 

Finance, News, Security, Sonic