Possible Sonic Drive-In Credit-Card Breach: What to Do

If you’ve used your credit card at a Sonic Drive-In restaurant recently, better check your statements. The entire fast-food chain, or at least a significant part of it, may have suffered a credit-card breach, according to independent security reporter Brian Krebs.

A Sonic restaurant in Costa Mesa, California. Credit: Ken Wolter/ShutterstockA Sonic restaurant in Costa Mesa, California. Credit: Ken Wolter/Shutterstock

The company confirmed to Krebs that there had been “unusual activity regarding credit cards used at Sonic,” but couldn’t confirm how many cards might be affected, how many of the roughly 3,500 Sonic restaurants might be involved, or whether there had even been a breach at all.

Nonetheless, if you have used a card at Sonic within the past six months, call the service number on the back of the card and use the automated menus to check your recent transactions. If there are transactions you don’t recognize, notify the card issuer immediately.

Krebs said he heard last week that 5 million newly stolen credit-card numbers had been put up for sale in an online “carder” market called Joker’s Stash. A screenshot from yesterday (Sept. 26) showed a listing boasting that the cards came from “almost all USA states.”

Who’s Impacted

The Oklahoma-based Sonic chain has restaurants in 45 U.S. states — all but Alaska, Hawaii, Maine, New Hampshire and Vermont. It features traditional American fast food, such as burgers, milkshakes and hot dogs, served by wait staff on roller skates to customers waiting in cars or outdoor tables.

Not a hedgehog, but it should check its credit-card statements anyway. Credit: Sonic Restaurants, Inc.Not a hedgehog, but it should check its credit-card statements anyway. Credit: Sonic Restaurants, Inc.

The cards being sold are part of a set called “Firetigerrr” by the seller, and are being offered for between $25 and $55, depending on whether they are credit or debit, their status level (standard, business, platinum, etc.) and their issuing bank. A screenshot of cards being offered that Krebs posted listed 11 cards issued in Texas, North Carolina, Arkansas, Louisiana, Virginia, Georgia and Washington state.

Krebs noted that the relatively high individual price — U.S. payment cards often sell for less than half those prices — might be due to the recentness of the breach.

Krebs got two of his contacts to buy some cards from the Firetigerrr set. Both contacts confirmed that all the cards they’d purchased had been used at Sonic restaurants recently. (Legally questionable as buying stolen card numbers may be, it’s something that big banks routinely do to get information about credit-card theft.)

However, it’s also possible that the cards could have been stolen from another retailer that happens to have a lot of customer overlap with Sonic.

It’s not clear how a breach might have happened, but the presence of cards from a wide geographical area makes it improbable that the card numbers were stolen by unscrupulous cashiers. With a breach of this size and scope, it’s more likely that criminals broke into some part of a back-end payment-processing system, as happened in the massive Target credit-card breach in 2013.

What Happens Next

If the Sonic breach is for real, it may take some time to confirm. Most Sonic restaurants are owned by franchise businesses independent from the Sonic Corporation, and the company would have to collect information from each of franchisee.

The stolen card information can be used to make purchases online or to “clone” new cards by replicating the data on a card’s magnetic stripe.

Online retailers are supposed to prevent this kind of fraud by requiring purchases to input a three- or four-digit number printed on the card, but not included in the card’s electronic data. However, many online retailers don’t ask for that number.

Brick-and-mortar retailers are supposed to upgrade to chip-and-signature cards that are much harder to replicate than magnetic-stripe cards, but, as anyone who’s shopped in the United States recently knows, many retailers don’t accept chip cards yet.

If your card ends up being part of the possible Sonic breach, don’t panic. Just inform your card issuer ASAP (within two days if it’s a debit card) and you won’t be responsible for fraudulent transactions.

Payment-card theft generally has little impact on the end user, other than having to replace the card itself. Breaches of personal information, such as the Equifax data breach disclosed earlier this month, are much worse and have much longer-lasting effects.

Thanks for your visiting on this page Possible Sonic Drive-In Credit-Card Breach: What to Do, We hope this post can be a good reference for you and provide useful information for you :-).

This article is sourced from: Here

Leave a Reply

Your email address will not be published. Required fields are marked *