Full Scope of Potential Breach Remains Unknown
U.S. fast-food chain Sonic Drive-In said Tuesday it is investigating a potential payment card breach. Its alert follows a large, potentially related batch of stolen card data appearing for sale on a cybercrime “carder” marketplace.
Sonic, based in Oklahoma City, says it was alerted by its credit card processor last week to “unusual activity” on cards that had been used at its restaurants. Sonic has 3,500 franchises across the United States.
“We are working to understand the nature and scope of this issue, as we know how important this is to our guests,” according to a statement issued by Sonic. “We immediately engaged third-party forensic experts and law enforcement when we heard from our processor.”
News of the suspected payment card breach was first reported by cybersecurity blogger Brian Krebs. He writes that the cybercrime marketplace called “Joker’s Stash” advertised 5 million new credit and debit card details on Sept. 18.
Krebs reports that two sources who purchased card data from the batch at Joker’s Stash confirmed that all had been used recently at Sonic restaurants. The card data was priced at between $25 and $50 per card.
If verified, Sonic would be the latest large U.S. business to be targeted by payment card data thieves. Retailers, hotels, restaurants and many other types of businesses have been hammered by cybercriminals who use a variety of techniques to steal card data.
It’s strongly advised that businesses follow the Payment Card Industry’s Data Security Standard, or PCI-DSS, a labyrinth of recommendations for securing payments data. The regimen is designed to secure network transmission of card details and prevent fraudsters from grabbing unencrypted data.
But reaching PCI-DSS compliance can be difficult. And once an organization is compliant, it can easily fall out of compliance due to changes in its infrastructure or new business processes.
There’s also third-party risk. Many companies have service agreements with a variety of vendors that have network access to their clients. “These vendors that do remote access – they’re sometimes lazy and they want to use the same password across all stores, and none of them are secure,” says John Christly, global CISO for Netsurion, a network security vendor.