Sonic, Yahoo breaches painful reminders of vulnerability

Sonic Corp. issued a Sept. 26, 2017, statement confirming a massive security breach of its POS systems. The incident led to a fire sale of millions of credit and debit card account numbers on the Dark Web. The fast food giant advised security analyst Brian Krebs, of KrebsonSecurity, that its credit card processor had detected unusual activity. Krebs was first to report the story.

"The security of our guests' information is very important to Sonic," the company stated. "We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able."

Legal analysts investigate

Charles C. Foti Jr., former Attorney General of Louisiana and Partner at New Orleans, La.-based Kahn Swick & Foti LLC, said his law firm has launched an investigation to determine how hackers gained access to millions of payment card accounts, which they then placed on sale in an online website. KSF specializes in securities, antitrust and consumer class actions and merger and acquisition activities.

The firm's representatives said it is unclear whether Sonic management violated any state or federal laws. If legal analysts confirm executives failed to adequately protect data systems or report the breach in a timely manner, KSF may file a class action, they stated.

Security analysts react

Krebs said he notified banking industry sources when he found a batch of 5 million credit and debit card accounts that debuted Sept. 18, 2017, in Joker's Stash, an online criminal marketplace. The cards were organized by Track 1, 2 and 3 credit card data. "Sure enough, two sources who agreed to purchase a handful of cards from that batch of accounts on sale at Joker's discovered they all had been recently used at Sonic locations," he stated.

"Brian Krebs, who has broken this story, is reporting that … the National Association of Federal Credit Unions is responding with understandable dread, knowing that ultimately their member credit unions will likely bear some of the ultimate financial burdens," said Robert W. Capps, Vice President, Business Development at NuData Security. "Will customer loyalty be shaken? If the past, as with the Wendy's breach, is prologue; then the answer is a qualified maybe, and if so, then only slightly.

Yahoo reports triple the victims

Capps called the Sonic breach, along with other intrusions into networks handling sensitive information, painful reminders that personal data is an irresistible target. This was just before Verizon, Yahoo Inc.'s parent company, disclosed that 3 billion accounts ‒ not the previously reported 1 billion ‒ were hacked in a 2013 breach of Yahoo's systems. That breach was disclosed in late 2016.

Capps expressed hope that the recent tsunami of high-profile data breaches would lead U.S. authorities to better protect the data collection, processing and storage of customer data. "Until PII data is rendered worthless by advanced authentication such as passive biometrics, consumers will continue to suffer the consequences of industry and legislative inaction," he added.

Editorial Note:

Whether you want to upgrade your POS offerings, find a payment gateway partner, bone up on fintech regs or PCI requirements, find an upcoming trade show, read about faster payments, or discover the latest innovations in merchant acquiring, The Green Sheet is the resource for you. Since 1983, we've helped empower and connect payments professionals, starting with the merchant level salespeople who bring tailored payment acceptance and digital commerce tools, along with a host of other business services to merchants across the globe. The Green Sheet Inc. is also a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals.

Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.