Wednesday, October 4, 2017
Sonic Corp. issued a Sept. 26, 2017, statement confirming a massive security breach of its POS systems. The incident led to a fire sale of millions of credit and debit card account numbers on the Dark Web. The fast food giant advised security analyst Brian Krebs, of KrebsonSecurity, that its credit card processor had detected unusual activity. Krebs was first to report the story.
"The security of our guests' information is very important to Sonic," the company stated. "We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able."
Charles C. Foti Jr., former Attorney General of Louisiana and Partner at New Orleans, La.-based Kahn Swick & Foti LLC, said his law firm has launched an investigation to determine how hackers gained access to millions of payment card accounts, which they then placed on sale in an online website. KSF specializes in securities, antitrust and consumer class actions and merger and acquisition activities.
The firm's representatives said it is unclear whether Sonic management violated any state or federal laws. If legal analysts confirm executives failed to adequately protect data systems or report the breach in a timely manner, KSF may file a class action, they stated.
Krebs said he notified banking industry sources when he found a batch of 5 million credit and debit card accounts that debuted Sept. 18, 2017, in Joker's Stash, an online criminal marketplace. The cards were organized by Track 1, 2 and 3 credit card data. "Sure enough, two sources who agreed to purchase a handful of cards from that batch of accounts on sale at Joker's discovered they all had been recently used at Sonic locations," he stated.
"Brian Krebs, who has broken this story, is reporting that … the National Association of Federal Credit Unions is responding with understandable dread, knowing that ultimately their member credit unions will likely bear some of the ultimate financial burdens," said Robert W. Capps, Vice President, Business Development at NuData Security. "Will customer loyalty be shaken? If the past, as with the Wendy's breach, is prologue; then the answer is a qualified maybe, and if so, then only slightly.
Capps called the Sonic breach, along with other intrusions into networks handling sensitive information, painful reminders that personal data is an irresistible target. This was just before Verizon, Yahoo Inc.'s parent company, disclosed that 3 billion accounts ‒ not the previously reported 1 billion ‒ were hacked in a 2013 breach of Yahoo's systems. That breach was disclosed in late 2016.
Capps expressed hope that the recent tsunami of high-profile data breaches would lead U.S. authorities to better protect the data collection, processing and storage of customer data. "Until PII data is rendered worthless by advanced authentication such as passive biometrics, consumers will continue to suffer the consequences of industry and legislative inaction," he added.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.