Millions of credit card credentials stolen after data breach at Sonic Drive-In

On September 26th, a batch of about 5 million credit cards was on sale on a famous data theft website called Joker’s Stash. This sale coincides with abnormal activity detected concerning credit cards at the large US fast-food chain Sonic Drive-In. 


Sonic Drive-In confirmed the data breach 

It is only when famous blogger Brian Krebs contacted Sonic Drive-In that the company issued a statement, agreeing that their credit card processor notified them of “unusual activity regarding credit cards used at Sonic…”  However, the company neither disclosed the exact quantity of credit cards affected nor the time frame of the breach. The company also said that the credit card credentials of their customers may have been acquired by third-party individuals through a malware attack on their systems at some of their locations. Sonic is still investigating the issue and that means that at some of their locations, customers’ information is probably still being stolen. 

The cards are being sold in a group called ‘Firetigerrr’ 

The cards have been put on sale in a group named ‘Firetigerrr’ on the Joker’s stash website, ranging between $25-$50. Krebs underlined that these cards are being sold for a relatively high price as they are usually sold for even less than half of that amount. He thinks that these high prices are due to the theft having very recently occurred and due to the newness of the cards on the market. The data that has been published with these cards consist of the holder’s bank name, the brand of the card, whether the card is a debit or credit one, the holder’s city and state and the card’s status level (platinum, business, standard and so on, which accounts for the variation in prices.)

On Krebs’ orders, two of his contacts were able to purchase two of these credit cards and had confirmed that they had really been used at Sonic Drive-In. To note that though this may be legally questionable, banks often buy stolen credit cards in order to be able to gain more information about the thefts. 

Franchises with many independent owners makes investigation difficult

Sonic Drive-In, like many other fast food companies, is a franchise, where most of the restaurants are owned and operated by many independent owners. This system makes investigating data breaches complicated as they outsource payments. The gruesome issue with this is that Sonic Drive-In’s thousands of independent owners use a third party point-of-sale vendor to handle the credit card transactions. Though handling over this part of the work to an outside company rather than handling it internally increases efficiency in terms of sales and operations, there is a notable risk of these locations suffering from a breach which is what happened here.

The way hackers are able to gain access to customers’ information is simple, the point-of-sale vendor has the ability to access this valuable information in order to manage it or to install updates on their system. Thus, by hacking the third party through phishing and social engineering, hackers are able to take advantage of insiders in an organization thus becoming one the biggest weaknesses of cybersecurity, that is, insider threats. An insider threat has been defined as being “a generic term for a threat to an organization’s security or data that comes from within. Such treats are usually attributed to employees or former employees, but may also arise from third parties including contractors, temporary workers or customers.”

Breaches at franchises are common

These types of data breaches are becoming increasingly common. Back in November 2013, there had been a data breach at the popular U.S retailer Target, where 70 million customers had had their financial and personal data stolen. This breach was caused by a malware installed on the credit card processing machines, the system thus became defective and the hackers were able to take advantage of this defect and gained access to the customers’ data.

However, in January 2014 U.S retailer, the Neiman Marcus Group suffered from a security breach too where 1.1 million customers had had their payment cards scraped to collect payment information whereby 2,400 unique cards were fraudulently used showing that these types of data breaches are increasing in frequency, thus, there is an urgency for all businesses to review their security systems to protect customers. It did not end there, from end 2015 to 2016, fast food company Wendy’s payment card processing machines were affected by a malware for 9 months at more than 1, 000 locations. 

There is a miscommunication between security professionals and the management

Surprisingly, according to a recent survey by Ponemon Institute, a security research firm, only 20% of the 674 IT and IT security professionals surveyed said that there is regular communication about probable security threats to the upper management. An even more startling fact is that 57% of the respondents said that they expect an incoming breach in their security systems during the following year. What is even more troubling, especially for customers is the amount of time such breaches take to be investigated upon.

According to the report, it takes around a month for companies to investigate a breach, to restore the service they offer and to find concrete solutions. 47% of the respondents also admitted that the companies where they work at either do not evaluate the readiness of their cybersecurity teams to respond to such attacks of such type or do not do it regularly. “Computer security needs to be a boardroom discussion, before the organization is in the headlines and not after,” Ponemon Institute added.

As such it is surprising that companies do not take cybersecurity threats more seriously given that the probability of a company being hacked is increasing and organizations are to face a number of disadvantages if that happens. Ruined reputation and loss of revenue are one of the most adverse impacts of a cyber-attack. It is followed by damaged intellectual property which refers to hackers stealing blueprints, ideas, and plans of the company which can ruin the future expansion possibilities of a corporate body. 

Sonic is providing a solution to minimise the effects of this cyber attack

In order to bring their services back to normal and to limit damage done to their customers, Sonic said that it will provide customers who used their payment cards at their locations this year free fraud detection and identity theft protection with the Experian IdentityWorks program for 2 years. This Experian program offers its users credit monitoring, daily credit reports, identity theft insurance and in the event a user is the victim of identity theft, an identity restoration program. 

Taking precautions as a customer is crucial

Data theft is not limited only these types of cyber-attacks. There are multiple ways a person’s data can be stolen and misused, for instance, someone may also steal data from discarded billing statements, or a dishonest waiter, cashier or clerk may take a picture or note down the information on your card unnoticed. Or, you may receive a phone call with an offer for a deal like discounted air ticket prices but to be able to use that offer, you have to give your personal details like your card number. These are only some of the ways someone can access your sensitive information. The hacker may then use your information to purchase things or create accounts under your name and spend your money fraudulently.

But there are several ways you can protect yourself from being a victim to these data thieves. Incorporating a few practices into your routine may help you avoid the worst and keep your account safe. To begin with, do not lend your payment cards to anyone and do not leave your billing statements and receipts anywhere, always make sure to destroy them after use. Think carefully before giving your card number to anyone, do not give it to people you are unsure of. Make it a point to keep your cards safely with you and you should be careful never to write your account number on random things such as a letter or an email. Lastly, call your card issuer promptly should you experience any unusual transactions that you are not aware of, being done with your card. 

Related articles published in EMV and Smart Payment Cards :


Image: Shutterstock