Report: Sonic Drive-In Credit Card Breach May Affect Millions of Customers

An alleged data breach related to the credit and debit card system of Sonic drive-in could leave millions of customers at risk.

Krebs on Security reports that a data breach at Sonic drive-in could put the debit and credit card details of millions of customers at risk. Sonic currently has 3,600 locations across 45 U.S. states, but the company has not announced how many locations may be affected by the data breach. The first hint of a data breach came from an Oklahoma City-based Sonic when Krebs noticed a number of fraudulent transactions being reported by financial institutions from credit cards used at that Sonic location.

Krebs then directed these financial institutions towards a recently published batch of five million stolen credit cards made available for purchase on the dark web on September 18 in a credit card theft marketplace called Joker’s Stash. Two sources reportedly agreed to purchase a batch of credit card details from the accounts on sale at Joker’s Stash, and it was discovered that these cards had indeed been used at Sonic locations recently. Krebs contacted Sonic, and the company confirmed that they were investigating a “potential incident” at some Sonic locations.

The company eventually offered a statement, saying, “Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC. The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”

The vice president of public relations at Sonic, Christi Woodworth, said that the investigation is still in the very early stages and that Sonic does not yet know which stores may have been impacted. Dan Berger, president and CEO of the National Association of Federally Insured Credit Unions, discussed the possible data breach and how financial institutions will be forced to deal with the brunt of the fallout of the stolen card details.

“It’s going to be the financial institution that makes them whole, that pays off the charges or replaces money in the customer’s checking account, or reissues the cards, and all those costs fall back on the financial institutions,” Berger said. “These big card breaches are going to continue until there’s a national standard that holds retailers and merchants accountable.”