The U.S. fast food chain Sonic Drive recently suffered a major security breach which compromised its millions of customers’ debit card and credit card numbers. Around five million stolen credit and debit card accounts were put up for sale on an underground marketplace called Joker’s Stash, priced between $25 and $50 per piece, on September 18.
The news was first reported by security expert Brian Krebs on September 26, on his personal blog website KrebsOnSecurity. The breach was reported from Oklahoma-based Sonic Drive-In branch.
Krebs reported, “The accounts apparently stolen from Sonic are part of a batch of cards that Joker’s Stash is calling ‘Firetigerrr,’ and they are indexed by city, state and ZIP code”.
The price of the stolen cards depended on many factors, including the type of card issued, the card’s level, whether the card is debit or credit and the issuing bank.
Sonic Drive-In, which runs 3,600 food outlets across 45 states, was notified by its credit card processor of “fraudulent activity” related to its credit cards. Two sources, who purchased a handful of cards from the theft bazar, confirmed to Krebs that all those cards were previously used at Sonic. After getting the tip-off, Krebs passed the information to Sonic.
In a statement, the company said, “The security of our guests’ information is very important to Sonic”, while adding “We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”
“The probe is going on in its initial stages, and the company has still no count of how many or which of its stores may be impacted,” said Christi Woodworth, vice president of public relations at Sonic.
While reacting on the incident, Dan Berger, president and CEO of the National Association of Federally Insured Credit Unions, told Krebs, “These big card breaches are going to continue until there’s a national standard that holds retailers and merchants accountable”.
Meanwhile, Fortune reported on September 27 Sonic’s stock plunged to its lowest value in two months, after credit and debit card hack was confirmed. The company’s shares dropped by at least 4.4% to $23.52, the biggest drop within one day since August 8.