Sonic Drive-In latest to be hit in POS data breach

Sonic Drive-In is investigating a possible point-of-sale (POS) breach that has led to customer payment card information being sold on a dark web market.

Information on the cyberattack is limited so far, with no firm data on the number of cards affected, store locations involved, or how the POS system was infiltrated and with what type of malware. A Sonic spokesperson told SC Media the company was notified last week by its credit card processor that there was unusual activity involving cards used at Sonic restaurants.

“We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able,” the Oklahoma City, Okla. company said.

KrebsonSecurity is reporting that a recent dump of credit card info on a dark web credit card market called Joker's Stash contains card numbers recently used at Sonic, which were on sale for $25-$50 and are most likely tied to the breach.

Sonic operates 3,557 stores nationwide, with about 90 percent of them franchised.

The Sonic attack is similar to what hit Wendy's earlier this year when more than 1,000 of its locations were involved in a POS hack in which actors stole specific payment card information, including cardholder names, credit and debit card numbers, expiration dates, cardholder verification values, and service codes. In that case the malicious actor accessed the POS by compromising a third-party vendor's credentials.

While Sonic is still looking into the cause, several cybersecurity execs are already leaning toward a third-party vendor being at fault this time as well.

“The Sonic breach is another in a long line of retail breaches stemming from an attack on a third party. The Target hackers accessed data through an HVAC vendor, Home Depot and Hilton Hotels were breached through a point-of-sale vendor, and now hackers have breached Sonic by exploiting a credit card processing vendor,” Fred Kneip, CEO of CyberGRX, told SC Media.

Steve Moore, vice president and chief security strategist at Exabeam, agreed, adding, “As long as there's monetary gain on the table and the methods to detect and disrupt don't improve, the adversary will persist and succeed.”

Others see this latest breach as possibly the predecessor of something that could prove much more damaging to a retailer: the ability to not only steal payment card information, but also shut down an entire POS system as part of a ransomware attack. “If retailers don't protect themselves properly, this isn't much of a stretch," said John Christly, Global CISO at Netsurion. "Rather than gain access to a chain's POS to exfiltrate credit cards over months or even years, cybercriminals could deploy ransomware that shuts down the POS systems… effectively bringing the business and all revenue to a screeching halt.”

Tips for protecting POS systems

Understand what normal looks like so there can be an early indication of compromise when uncommon behaviors occur.
By performing proper risk assessments on third parties within their digital ecosystem, merchants can uncover weak security controls and work with the vendor to remediate such issues before they are exploited.
Remember that your attack surfaces extend to third parties. If a breach occurs, you will bear the financial and reputational consequences of vulnerabilities across your network of vendors, partners and suppliers.
Introduce advanced threat detection and response specifically to POS systems in order to identify threats more quickly improve incident response times.