National chain restaurant Sonic Drive-In was recently the victim of a cyberattack that resulted in the potential theft of millions of stolen debit and credit card accounts from the company's POS card processing terminals.
The breach was initially investigated by Brian Krebs, former investigative reporter for the Washington Post and owner of cybersecurity news site Krebs On Security, which broke the story on Sept. 17.
According to his report, multiple financial institutions told Krebs about multiple financial institutions that a pattern of fraudulent transactions stemming from cards used at some of the 3,500 nationwide Sonic Drive-In locations. Upon further investigation, he found that many cards previously used at the restaurant appeared on the site Joker's Stash, a black market hub that allows criminals to buy card information stolen from unsuspecting consumers. The swiped data can then be copied onto blank cards and used freely and fraudulently.
The stolen accounts were categorized by their geographic locations. Offenders could then purchase cards stolen from people that lived near them to avoid an anti-fraud provision which flags or blocks suspicious transactions occurring in locations distant from the card holder's address.
Point of sale processors targeted for customer account information
"Hackers targeted the restaurant's payment processors by remotely spamming terminals."
Krebs notified the company of his findings and a representative provided him with a statement.
The statement noted that during the week prior, the company's credit card processor informed them of suspicious activity occurring with credit cards used to make purchases at the restaurant. Law enforcement and a third-party forensics team was then contacted following the news. During these investigations, policing agencies limited the amount of information the company was able to disclose, but it said it would provide details when they were able.
Sonic then released public statement on Oct. 4 officially acknowledging the data breach. The announcement said the company was still working with authorities and offered free fraud protection to affected customers, but had no additional information on which stores were affected and how many cards were compromised.
Hackers targeted the restaurant's payment processors by remotely spamming terminals with malware, which copied customer account data stored on a card's magnetic strip. According to Nation's Restaurant News, the company recently installed new POS processing systems at 77 percent of its locations. The updated technology was meant to reduce costs and replace the previous Micros Oracle platform, which was over 30 years old. It is still unclear whether the data theft occurred through the new processing units or ones the company has yet to replace.
It's important that companies have the most up-to-date payment processing software available to reduce the chances of falling prey to attacks by malicious hackers. The more secure a payment system is, the more secure customer and company data is.