Fast-food giant Sonic has disclosed a data breach potentially affecting millions of customers. The chain has nearly 3,600 stores across 45 US states but as the investigation is ongoing, it does not yet know how many store payment systems were affected.
KrebsOnSecurity first reported the breach, which Sonic discovered last week when its credit-card processor informed the chain of unusual activity regarding customers’ payment cards. The incident may have led to a “fire sale” of millions of stolen payment cards on the Dark Web. Card data from Sonic’s customers was discovered in a batch of five million credit and debit accounts advertised on an underground credit-card theft bazaar called Joker’s Stash.
It’s unclear whether all cards in the batch belong to Sonic customers; Krebs reports they could potentially be mixed with cards stolen from other outlets by the same attackers. Most range from $25 to $50 per card depending on the type of card, whether it’s credit or debit, and the issuing bank.
Sonic says it’s working with law enforcement and third-party forensic experts and will continue to update with further information.