Sonic Drive-In breach: Millions of stolen credit and debit card accounts up for sale on the dark web

US fast food chain Sonic Drive-In suffered a security breach affecting an unknown number of its store payment card systems and compromising millions of customers' debit and credit card numbers. The massive breach may have resulted in millions of stolen payment card accounts being put up for sale on the dark web market, security expert Brian Krebs first reported on Tuesday (26 September).

Krebs reported that multiple financial institutions noticed a pattern of unusual transactions on cards that were previously used at Sonic outlets.

On 18 September, a new batch of around five million credit and debit card accounts were put up for sale on an underground marketplace called Joker's Stash with most of the cards priced between $25 and $50 per piece. Some of the cards from the batch were found to be recently used at Sonic locations, according to Krebs.

"The accounts apparently stolen from Sonic are part of a batch of cards that Joker's Stash is calling 'Firetigerrr,' and they are indexed by city, state and ZIP code," Krebs reported. "This geographic specificity allows potential buyers to purchase only cards that were stolen from Sonic customers who live near them, thus avoiding a common anti-fraud defence in which a financial institution might block out-of-state transactions from a known compromised card.

"Prices for the cards advertised in the Firetigerr batch are somewhat higher than for cards stolen in other breaches, likely because this batch is extremely fresh and unlikely to have been canceled by card-issuing banks yet."

He added that the price of the stolen cards depended on a number of factors including "the type of card issued (Amex, Visa, MasterCard, etc), the card's level (classic, standard, signature, platinum, etc); whether the card is debit or credit; and the issuing bank."

However, Krebs noted that it is still unclear whether Sonic is the only company whose customers' cards were being sold in the Firetigerr batch.

The company told Krebs that it was notified by its credit card processor last week of "unusual activity" regarding credit cards used at its locations.

"The security of our guests' information is very important to Sonic," the company told IBTimes UK. "We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able."

It is still unclear how many customers were affected or how many Sonic stores were impacted in the breach. The popular fast food chain has nearly 3,600 locations across 45 states in the US.

Sonic Drive-In is the latest in a slew of US restaurants and hospitality chains to suffer a major data breach.

In May, popular Mexican fast food chain Chipotle said it was hit with a cyberattack affecting its payment systems across the US, affecting customers in at least 48 states.

In April, Shoney's confirmed that some of its restaurants were infected with point-of-sale malware that compromised customers' payment card details for months. In February, Arby's said hackers infected many of its restaurants' payment card systems across the country.

In 2016, burger chain Wendy's disclosed that hackers targeted hundreds of its restaurants with malware on its point -of-sale systems.

"It's going to be the financial institution that makes them whole, that pays off the charges or replaces money in the customer's checking account, or reissues the cards, and all those costs fall back on the financial institutions," Dan Berger, president and CEO of the National Association of Federally Insured Credit Unions, told Krebs. "These big card breaches are going to continue until there's a national standard that holds retailers and merchants accountable."