Sonic Investigates Breach, 5 Million Cards For Sale on Cybercriminal Market

The fast-food chain Sonic said yesterday that it is investigating a possible payment card breach at its stores, and security blogger Brian Krebs reported that the incident may be tied to a batch of five million fresh payment cards being offered for sale on the stolen credit card shop known as Joker’s Stash.

Sonic said its payment card processor informed the company last week of unusual activity regarding cards used at its stores. Krebs reported that two sources purchased a handful of payment cards from the batch of five million credit and debit cards listed on Joker’s Stash, and those sources said the stolen cards had all been recently used at Sonic locations.

A Sonic spokesperson said that the breach investigation is still in its early stages and it is unclear how many of the company’s nearly 3,600 locations may have been impacted.

2017-09-27_SonicBreachJokersStash
Cybercriminal markets like Joker’s Stash often allow the filtering of stolen payment cards based on various options such as location, which allows malicious actors to target affluent areas or to buy cards located near them so that fraudulent transactions are harder to detect.

“It remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs wrote. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”

Fast food chains have been at the center of some of the most impactful and widely discussed payment card breaches over the past several years. In July 2016, Wendy’s announced that more than 1,000 stores were affected by point-of-sale malware, leading the fast-food chain to become the top trending company tied to a payment card breach last year. Likewise, Arby’s point-of-sale breach is the top trending consumer goods payment card breach of 2017, and other major restaurant chains such as Chipotle and Shoney’s have announced similar breaches this year.

2017-09-27_ConsumerGoodITT
Arby’s is the top trending consumer good target associated with payment card cybercrime so far this year, although it remains to be see how impactful the Sonic breach will be.

An interesting breach announcement trend in 2017 is the attempt to obfuscate the total number of breached locations behind clunky websites that divide the affected locations into searches not just by state, but by city. Case in point, the breach lookup webpage provided by Arby’s, which mimics the cumbersome and now-defunct webpage set up by InterContinental Hotels Group (IHG) for its recent breach. The IHG website divided the affected locations across hundreds of individual cities, and that tool, along with the news that IHG would update the list as more hotels confirmed breaches, meant frequent travelers had to comb through numerous searches repeatedly in order to find out if they were impacted by a single breach.

The Wendy’s breach, which affected franchise locations serviced by a third-party payment provider, was particularly painful for financial institutions as some locations were re-compromised after initially clearing the malware — leading to customer payment cards having to be re-issued multiple times. The Arby’s breach, by contrast, was caused by malware placed on systems inside corporate stores rather than franchise locations.

It’s unclear at this point which Sonic stores were affected, but the a 2016 report to stockholders said that 3,212 of the company’s 3,557 locations are franchised. The company also announced in 2014 that it was rolling out a new point-of-sale system and proprietary point-of-personalized service technology based on a Micros Oracle platform. In April 2017 it was reported that the update had made its way to 77 percent of Shoney’s locations.

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s