Large fast-food chains that span across the U.S have started to get some more attention from hackers. On September 26th a group of about five million credit cards were on sale on a popular data theft marketplace. The dumped credit cards were cross referenced with fraudulent activity reports detected by financial institutions. The common denominator here seemed to be that these cards were all used at Sonic Drive-in. This was later validated when Brian Krebs reached out to Sonic and they issued a statement to him saying:

“Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC…”

Stolen Data Markets

The cards on Joker’s Stash are selling in the range of $25 to $50 per credit card. The data published includes the account holder’s bank, brand, card level, credit/debit status, city, and state. Almost everything is published about the cards, which have been made indexable for anyone to sort through. The end user and buyer of your stolen data may be your next door neighbor or co-worker. Due to the fact that the internal investigation by Sonic is ongoing it is hard to tell how many stores have been impacted by this data breach. This could even mean that Sonic locations are still compromised as you read this.

Fast Food Business Model

The complex issue that comes up when data breaches happen to fast-food chains is the business model these brands operate under. Sonic is a franchise meaning most locations are not owned and operated by the central office. Most Sonic Drive-in locations are managed by thousands of independent owners, who use a third party point-of-sale vendor to handle their credit cards. Outsourcing payment processing usually results in efficient sales and operations, but there is a significant risk to organizations of a breach.

Payment Processing Vendors

When there is a third party managing payment processing often the devices used to capture credit card data can be accessed remotely by the vendor for management and updates. For hackers this is a gold mine, mainly because a hack of the third party vendor grants hackers access to credit card processing machines. Hackers accomplish this by way of phishing and social engineering, essentially taking advantage of the biggest cyber security weakness, insiders. This was the scenario in the case of Wendy’s from late 2015 to 2016, where processing machines were compromised for about nine months at more than 1000 locations. That scenario was a nightmare to deal with apparently because Wendy’s had a similar business model as Sonic, where they had few corporate locations and several independent franchise locations.

Far Reaching Consequences

It’s not yet known if the scenario laid out above is what happened to Sonic Drive-in. Brian Krebs interviewed Dan Berger who is the CEO of the National Association of Federally Insured Credit Unions about the potential fallout from the data breach at Sonic. He said:

“It’s going to be the financial institution that makes them whole, that pays off the charges or replaces money in the customer’s checking account, or reissues the cards, and all those costs fall back on the financial institutions. These big card breaches are going to continue until there’s a national standard that holds retailers and merchants accountable.”

Focus on Insider Threats

When there’s a breach in one industry it’s never an isolated incident, it can have significant implications across many sectors in the economy. Notice though that the impact of the data breach started with an insider incident at one vendor then spread to a larger organization and eventually into the core financial institutions that countries rely on. Insider threats can have huge implications for the economy which is why any investment in cyber security by organizations must invest their funds into insider threat mitigation and prevention.