by Tara Seals
Sonic Drive-In, the US fast-food chain where car-hops are still a thing, is the latest victim of a security breach affecting an unknown number of store payment systems—but it could be millions of victims.
Sonic has confirmed that they have been investigating unusual payment card activity since being informed by their credit card processor last week.
First disclosed by independent researcher Brian Krebs, the compromise came to light via a pattern of fraudulent transactions on cards that had previously been used at one of Sonic’s 3,600 locations.
“I began hearing from sources at multiple financial institutions,” Krebs noted in a post. Those cards were then found to be part of a cache of five million credit and debit card accounts that were first put up for sale in mid-September on a dark web site called Joker’s Stash, all indexed by city, state and ZIP code. They’re going at a premium, too: between $25 and $50 per card.
“I should note that it remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs said. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”