It seems like every other week or so we are reporting on recent data breaches affecting millions of Americans. From Target to Equifax, it seems that no company with electronic databases can keep our information totally secure. That apparently also includes the popular fast-food chain Sonic.
The fast-food chain noticed some strange activity occurring with credit cards that were used at their restaurants in the past week. As of this point, the scope of the issue is not yet fully known, but Sonic is working with law enforcement and forensics experts to figure out what exactly is going on.
The breach was initially reported by cyber security journalist Brian Krebs. According to United Press International, he said that he noticed that a great number of fraudulent credit card transactions being traced back to Sonic as a common thread. With that information, all stored on the card’s magnetic strip, hackers can clone the cards and make fraudulent purchases with the newfound information.
Krebs discussed the breach in more detail at his website, Krebs On Security:
The first hints of a breach at Oklahoma City-based Sonic came last week when I began hearing from sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic.
I directed several of these banking industry sources to have a look at a brand new batch of some five million credit and debit card accounts that were first put up for sale on Sept. 18 in a credit card theft bazaar previously featured here called Joker’s Stash:
Sure enough, two sources who agreed to purchase a handful of cards from that batch of accounts on sale at Joker’s discovered they all had been recently used at Sonic locations.
Armed with this information, I phoned Sonic, which responded within an hour that it was indeed investigating “a potential incident” at some Sonic locations.
Sonic issued a statement to Krebs on Security, stating:
“Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC. The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”
Hackers normally get credit card information by hacking into point-of-sale systems remotely, then planting malware on the systems that then send them credit card information from anyone who swipes at an affected spot.
Information from those cards is now listed for sale online at high prices, likely given the fact that this is a “fresh batch” of credit card numbers.
Most of the cards range in price from $25 to $50, and the price is influenced by a number of factors, including: the type of card issued (Amex, Visa, MasterCard, etc); the card’s level (classic, standard, signature, platinum, etc.); whether the card is debit or credit; and the issuing bank.
I should note that it remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash. There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.
These sorts of data breaches are becoming more common as time goes on. That’s why I recommend using cash for as many things as possible. With cash, there is complete anonymity, and no chance of being hacked out of your physically held dollars.
Cash is the only truly secure transaction. There is nothing electronic that hackers can take to use for their nefarious purposes. The idea of carrying cash these days is a rather rare and strange one in the age of plastic, but what is becoming normal is having your data breached.
I’ll take being weird and secure any day over being normal and compromised.