Fast-Food Chain Sonic Investigates Potential Card BreachFull Scope of Potential Breach Remains Unknown
U.S. fast-food chain Sonic Drive-In said Tuesday it is investigating a potential payment card breach. Its alert follows a large, potentially related batch of stolen card data appearing for sale on a cybercrime "carder" marketplace.
Sonic, based in Oklahoma City, says it was alerted by its credit card processor last week to "unusual activity" on cards that had been used at its restaurants. Sonic has 3,500 franchises across the United States.
"We are working to understand the nature and scope of this issue, as we know how important this is to our guests," according to a statement issued by Sonic. "We immediately engaged third-party forensic experts and law enforcement when we heard from our processor."
News of the suspected payment card breach was first reported by cybersecurity blogger Brian Krebs. He writes that the cybercrime marketplace called "Joker's Stash" advertised 5 million new credit and debit card details on Sept. 18.
Krebs reports that two sources who purchased card data from the batch at Joker's Stash confirmed that all had been used recently at Sonic restaurants. The card data was priced at between $25 and $50 per card.
If verified, Sonic would be the latest large U.S. business to be targeted by payment card data thieves. Retailers, hotels, restaurants and many other types of businesses have been hammered by cybercriminals who use a variety of techniques to steal card data.
It's strongly advised that businesses follow the Payment Card Industry's Data Security Standard, or PCI-DSS, a labyrinth of recommendations for securing payments data. The regimen is designed to secure network transmission of card details and prevent fraudsters from grabbing unencrypted data.
But reaching PCI-DSS compliance can be difficult. And once an organization is compliant, it can easily fall out of compliance due to changes in its infrastructure or new business processes.
There's also third-party risk. Many companies have service agreements with a variety of vendors that have network access to their clients. "These vendors that do remote access - they're sometimes lazy and they want to use the same password across all stores, and none of them are secure," says John Christly, global CISO for Netsurion, a network security vendor.
That's what happened with another fast-food chain, Wendy's, last year. Hackers gained access credentials to some of Wendy's service providers and then used that access to install malware on point-of-sale systems in 1,025 U.S. restaurants (see Wendy's Hackers Took a Bite Out of 1,000+ Restaurants).
Likewise, retailer Target in 2013 lost 40 million card details and 70 million other records after attackers gained access to its network through a vendor that installed refrigeration systems in its stores.
Another common attack vector involves phishing emails - fake messages disguised to look legitimate. Netsurion's Christly says it's possible that someone at Sonic fell victim to such an attack, which involves baiting someone into clicking on a malicious link or opening malware disguised as a legitimate file, which gives attackers a beachhead in the victim's network.
If PCI-DSS recommendations are implemented correctly, in theory, it should be very difficult to steal payment card details.
But nothing is ever 100 percent certain, and many companies in the United States have yet to shore up their payments infrastructure, says Robert Capps, vice president of business development at NuData Security, a company that specializes in detecting fraud.
"You still have a lot of old-time terminals and storage and forwarding of credit card numbers that is still happening at some of these merchants," Capps says.
Credit card companies have also been pushing retailers to install EMV-compliant payment terminals. Those terminals accept payment cards with a cryptographic chip, which generates a one-time code to verify the transaction. EMV prevents the use of counterfeit cards, providing the original card carried an EMV chip.
Fraudsters have enjoyed years of success when copying the magnetic stripe on the back of the card and then creating a copy that can be used to make in-person purchases.
The EMV system, however, checks for the presence of a cryptographic chip on the card and rejects cards at the point of sale if they lack a chip, but should have one. EMV, however, is only aimed at stopping card cloning and doesn't stop skimming malware that can read card data from a point-of-sale terminal.
For Sonic, however, the EMV discussion remains academic. Christi Woodworth, Sonic's vice president of public relations, tells Information Media Security Group in a statement that the company "has not adopted EMV for a variety of reasons specific to our business."
Woodworth adds: "Many in the security industry feel that EMV would have minimal benefit against many of the recent breaches but as we learn more, we will evaluate."