Uh-Oh. Looks Like Sonic Has Been Breached (And Millions Of Cards, Too)

Here we go again.

It looks like Sonic Drive-In has been breached — and possibly in a pretty big way. Sonic, at present, is at 3,600 locations across 45 U.S. states, and while the fast food chain has acknowledged the breach itself, it remains unsure just how many store payment systems have been affected.

It does seem, according to reports from KrebsOnSecurity, that the breach has yielded a “fire sale” for stolen credit and debit card accounts on the dark web.

The first sign that a big breach had happened started last week in the Oklahoma city area, as reports started rolling out from financial institutions that they were seeing a wave of bad card transactions held together by a single commonality — they’d all been used at a Sonic recently.

Those stolen cards popped up in a dark web bazaar called Joker’s Stash, and there were five million new cards on offer to purchase. At this time, however, it remains unclear whether Sonic is the only company whose customers’ cards are being sold on Joker’s Stash, or if (as reports indicated) those cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.

Shortly after, Sonic confirmed the breach. Christi Woodworth, vice president of public relations at Sonic, noted the investigation is in its early stages, and at this time they are unsure how many locations have been hit.

“Our credit card processor informed us last week of unusual activity regarding credit cards used at Sonic,” reads a statement the company issued to KrebsOnSecurity. “The security of our guests’ information is very important to Sonic. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”


According to a report from Reuters on Wednesday (Oct. 4), Sonic Drive-In believes a malware attack at a handful of its fast food locations may have been the reason hackers were able to gain access to customers’ debit and credit card information. It is still unknown how many point-of-sale systems at its brick-and-mortar locations across 45 U.S. states were affected.

Sonic Drive-In stocks took a 2 percent dive to $24.73 in afternoon trading following the news. The company is currently offering free identity theft protection as a result of the data breach.