Data Security breach at Sonic Drive-In
Hackers made off with millions of credit/debit card numbers, according to report
Update 10/3/2017: The Guardian reported that “Top 4” accounting agency, Deloitte, was affected by a breach on September 25, which “ potentially compromises all administrative accounts within the firm along with the entire internal email system.” The compromised information is believed to include usernames, passwords and personal data for some of the firm’s top clients.
Grocery store chain Whole Foods may also have had payment card information stolen from this point-of-sale system on September 29, 2017.
Update 10/4/2017: It was announced on Wednesday, October 4, 2017, that Sonic would offer its customers who have used their cards at Sonic locations within the past year “24 months of free fraud detection and identity theft protection through Experian’s IdentityWorks program.”
Original story:
In a report released by Krebs On Security on September 17, 2017, it was revealed that Oklahoma City-based fast food chain Sonic Drive-In had acknowledged a data security breach which allowed for an unknown number of Sonic cash registers (known today as point-of-sale terminals) to be compromised. This comes shortly after approximately 5 million stolen credit card numbers — which were recently used at Sonic locations — were put up for sale on the dark web. Sonic Drive-In was notified shortly after of “unusual activity” by their credit card service provider and, according to a company statement, have “engaged” with law enforcement and forensic experts to determine the depth of the breach.
“We are working to understand the nature and scope of this issue, as we know how important this is to our guests,” a statement by the company said. “We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.” — Sonic Drive-Ins statement
Krebs has stated that it is unclear if the credit card numbers stolen are linked to Sonic and that other companies may also have been compromised. The vice president of public relations at Sonic, Christi Woodworth, has gone on record stating that the investigation into the breach is still in its early stages and, as a result, it remains unclear how many locations or customers have been affected.
These types of security breaches involve hackers “surreptitiously accessing” the point-of-sale systems of organizations which accept cards, installing malware which sends card numbers and other account information of swiped cards to the hackers, who then sell the information on the dark web. Prices for the card information are usually set by how “fresh” (recent) the cards are¹, as well as the type (debit/credit, issuing company/bank) and level (platinum, standard, green, etc.) of the card. Thieves then purchase the information and use it to create copies of the cards, using the counterfeit copies to purchase high-value items from various stores at the expense of credit card companies and the innocent cardholder whose information was stolen.
Reports of incidents like this are becoming increasingly common.Typically, incidents result in a decreased stock value for the company(ies) affected and temporarily tarnishing their reputations as a result. The 2013 Target hack is an example of this, as are the Chipotle hack in May or Home Depot in 2014.
According to the Huffington Post, hacks like this are usually unpreventable by the affected companies, as they are typically in compliance with security procedures set out by credit card companies. Financial institutions within the United States are partially to blame for the issue within the country as the US is the last G20 nation to make the shift to the more secure chip-based card technology. Chip-based cards are significantly more expensive and present potential thieves with a far greater challenge to counterfeit than their stripe counterparts. Unfortunately, many institutions have yet to replace the stripe cards with the newer standard. According to Visa, 58 percent of the 421 million Visa cards issued by financial institutions in the United States were chip-based as of March 2017.
“It’s going to be the financial institution that makes them whole, that pays off the charges or replaces money in the customer’s checking account, or reissues the cards, and all those costs fall back on the financial institutions,” Berger said. “These big card breaches are going to continue until there’s a national standard that holds retailers and merchants accountable.” — Dan Berger, president and CEO of the National Association of Federally Insured Credit Unions
Retailers who accept chip-based cards tend to present a less attractive target to would-be thieves and hackers when compared to those who are unequipped with the technology. Chip-equipped retailers pose a less attractive target due to the substantial increase in difficulty of gleaning information from the more secure chipped cards. Visa stated in March that only 44 percent of stores accepting its cards are considered “chip-enabled,” meaning that 56 percent of stores within the United States are not capable of handling chip-based cards — making them far more vulnerable to future occurrences.
This recent development goes to show that individuals and companies are vulnerable to breaches like these. The risk is, however, mitigable through the close, regular monitoring of financial statements. If suspicious activity or unauthorized transactions are made, it is imperative to report such suspicious activity on your accounts to the relevant agency/card issuer as soon as possible to avoid potential hassles or having to foot the bill.
¹: The more recent the card information was stolen, the less likely they have been discovered and canceled.
This story is published in The Startup, Medium’s largest entrepreneurship publication followed by 292,582+ people.
Subscribe to receive our top stories here.
