Add Sonic Drive-In to the roster of merchants that have experienced a breach of their payments systems. The Oklahoma City-based fast-food chain confirmed to Digital Transaction News that it has been investigating the incident. On Tuesday, security blog KrebsOnSecurity.com reported the breach affecting an unknown number of Sonic’s point-of-sale systems.
“Our credit card processor informed us last week of unusual activity regarding credit cards used at Sonic,” the company says in a statement. It did not disclose which processor this is. “We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”
The breach came to light after KrebsOnSecurity, after getting tips from banking sources, noticed a batch of new card data on a site used to sell such data, and that the cards apparently had been used fraudulently. A vetting of the data indicated their common use at Sonic. No details about which Sonic locations may have been affected or even the number of cards associated with this breach has been confirmed. KrebsOnSecurity said the card-data seller claimed 5 million accounts, but it’s not known if that’s from one or multiple merchants.
In any case, the breach yet again points out the peril consumers face when using credit and debit cards. “With no concrete information on when and where this took place, Sonic customers can only hope they’re not involved and wait to learn whether their card has been stolen,” Robert W. Capps, vice president of business development at risk-management provider NuData Security Inc., said in a statement. Mastercard Inc. purchased Vancouver, British Columbia-based NuData earlier this year.
The Sonic incident is close on the heels of the Equifax Inc. breach that affected 143 million consumers. Equifax announced Tuesday that Richard Smith, chairman and chief executive, retired that day. His departure followed that of the company’s chief information officer and chief security officer earlier this month.
Consumers will contend with the impact of these breaches for years. Throwing the Sonic incident into the mix aggravates that impact. “At this point, little is known about the breach, but what IS known is that login details, passwords, payment information and personally identifiable information magnetically attract hackers,” Capps said. “Like Wendy’s, Target, and an alarming number of other major data breaches, the Sonic breach is bound to be a painful reminder that personal data is an irresistible target, no matter how diligent any company’s efforts are in data protection.” Fast-food retailer Wendy’s had a breach in 2016, and Target reported a major breach in late 2013.
One fix to alleviate the issue is to neutralize personally identifiable information, often labeled PII, Capps said. “Until PII data is rendered worthless by advanced authentication such as passive biometrics, consumers will continue to suffer the consequences of industry and legislative inaction.”