Sonic Drive-In, a fast food restaurant chain with more than 3,500 locations across the United States, confirmed on Wednesday that cybercriminals may have stolen customers’ credit and debit card information using a piece of malware.
The company has provided only little information about the incident, but says it’s working with law enforcement and third-party forensics firms to investigate the breach. Sonic said it delayed notifying customers of the intrusion at the request of law enforcement.
“Sonic Drive-In has discovered that credit and debit card numbers may have been acquired without authorization as part of a malware attack experienced at certain Sonic Drive-In locations,” the company stated.
Customers who used their cards at Sonic Drive-In locations this year are being offered 24 months of free fraud detection and identity theft protection services via Experian. Consumers can enroll until December 31.
While it’s unclear which locations were hit by the malware attack and how many customers are impacted, security blogger Brian Krebs last week learned of a cybercrime marketplace selling a batch of 5 million cards, at least some of which appear to come from Sonic’s systems.
The cards were put up for sale on September 18, but IBM researchers said the first batch appeared on a different cybercrime service that checks card validity for fraudsters on September 15, which suggested that the attackers had been collecting card data on an ongoing basis.
The data offered on the cybercrime website had been offered for $25-$50 per card. Interested parties could purchase information from cards owned by individuals in a certain state or city — fraudulent transactions made in the area of the victim are less likely to trigger any alarms.
Sonic’s shares dropped 2 percent to $24.74 on Wednesday.
“Will customer loyalty be shaken? If the past as with the Wendy’s breach is prologue, then the answer is a qualified maybe, and if so, then only slightly,” Robert W. Capps, VP of Business Development at NuData Security, told SecurityWeek after the breach came to light.
“However, this – coupled with the tsunami of recent breaches – might just be the game changers that lead US Federal authorities to better protect the data collection, processing and storage of customer data,” Capps added.
The list of major restaurant chains that informed customers of a payment card breach in the past year includes Wendy’s, Cicis, Arby’s, Chipotle, Shoney’s, and Noodles & Company.
Related: Amazon’s Whole Foods Investigating Payment Card Breach