Data Dive

The Surprise And No Delight Edition: Whole Foods, Sonic and BAMS

The worst lines ever spoken in thriller/horror movies are “I’ll be right back” and “What else could possibly go wrong?” In the first instance, the person speaking those words is probably not coming back, and the moment the second is said, something else goes horribly wrong.

In the “what else could possibly go wrong, cybersecurity edition” category, particularly in the aftermath of the torrents of coverage on the Equifax breach, it seems the cybercriminals didn’t all retire after the announcement – in fact, they managed to find their way into the Whole Foods and Sonic POS systems and steal cardholder data.

Then there was news of the layoffs at Bank of America Merchant Services as the merchant processor retools in the face of the big shifts to digital commerce.

Surprises, all, but not much delight.

Sonic Breached

Sonic Drive-In has been breached – and possibly in a pretty big way. The fast-food restaurant, which operates 3,600 locations across 45 U.S. states, has yet to disclose how many store payment systems have been affected.

It’s a sure bet that these stolen card numbers are going to bad homes. Last week, Krebs on Security reported that the flood of cards has created yield a “fire sale” of data on the dark web, specifically in a bazaar called Joker’s Stash, where there were some five million new cards available to purchase.

The first sign that a big breach had happened was after banks in the Oklahoma City area reported that they had noticed a wave of bad card transactions held together by a single commonality: All of the cards had recently been used at a Sonic location.

It remains unclear whether Sonic is the only company whose customers’ cards are being sold in the five million-card batch at Joker’s Stash, or if (as reports indicated) those cards are being mixed in with the ones stolen from other eatery brands that may be compromised by the same attackers.

“Our credit card processor informed us last week of unusual activity regarding credit cards used at Sonic,” said a statement the company issued to Krebs On Security. “The security of our guests’ information is very important to Sonic. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”

And, as it turns out, they aren’t the only firm that will have some new communication channels to open with their customers soon.

And Then There Were Two: Whole Foods Investigates Possible Breach

It is, as Shirley Bassey said, a little bit of history repeating – and quickly.

Whole Foods has acknowledged that its customers’ payment card information has been illegally accessed – specifically, data used at its taprooms and full-service restaurants located within some stores.

The good(ish) news is these parts of the store use a point-of-sale (POS) system that is separate from the company’s primary store checkout systems, and payment cards used at the latter were not affected.

Whole Foods is assuring customers that it is taking appropriate measures to address the issue. When the breach was found, the chain hired a leading cybersecurity forensics firm and contacted law enforcement.

Amazon systems were not affected by the breach, as they are separate and unconnected to the systems at Whole Foods.

The investigation is ongoing, and Whole Foods will provide additional updates as it learns more. While most stores do not have these taprooms and restaurants, the company is encouraging customers to closely monitor their payment card statements for any unauthorized charges.

It’s pretty unlikely that Whole Foods will take a bit hit from this. The grocery food chain is in the midst of a post-Amazon acquisition sales surge, as Amazon has sold $1.6 million in Whole Foods private label products in just the last 30 days.

And in non-breach news…

Bank of America Merchants Services Restructure

Bank of America Merchant Services (BAMS) reported that it laid off about 10 percent of its staff last week—about 250 employees—as part of a corporate restructuring, according to reports.

The Wall Street Journal reported that the merchant services joint venture, which has operated in conjunction with First Data Corp. since 2009, employed about 2,200 people.

In 2016, BAMS had slipped to fourth place, behind Vantiv, First Data and Chase Commerce Solutions.

Bank of America Merchant Services is now trying to bolster the digital services it provides to merchants, either through its own technology or via partnerships. Last year, it expanded into Europe, serving global clients with cross-border merchant services.

Earlier this year, BAMS teamed up with Bypass, the developer of cloud-based restaurant and multi-site food management systems, to help arenas, sporting venues, corporate and college campuses, hospital cafeterias and other contract food and beverage operators to run their concessions more efficiently through a new unified, digital commerce solution.

As a spokesperson noted last week, BAMS “announced to employees a restructuring designed to accelerate our business strategy and better meet merchants’ evolving expectations in this increasingly digital era.”

So, what did we learn this week? The digital era has its costs. For acquirers, that means an increasingly competitive digital landscape. For everyone, it means an army of cybercriminals just waiting to use your personal data to start a new life elsewhere.

But hey, look on the bright side. National Taco Day is just three days from now – and after last week’s news, you’ve earned some mouthwatering Mexican food.



The pressure on banks to modernize their payments capabilities to support initiatives such as ISO 20022 and instant/real time payments has been exacerbated by the emergence of COVID-19 and the compelling need to quickly scale operations due to the rapid growth of contactless payments, and subsequent increase in digitization. Given this new normal, the need for agility and optimization across the payments processing value chain is imperative.