Cyber Incident Victim: Sonic Drive-In
Date:
Sep 2017
Location:
United States of America
Summary
A breach at Sonic Drive-In compromised payment systems, leading to millions of credit and debit cards being sold on cybercrime platforms. The incident involved malware targeting point-of-sale systems to capture magnetic stripe data, enabling card cloning for fraudulent purchases. Financial institutions detected fraudulent transactions linked to the fast-food chain, with stolen cards appearing for sale shortly after the breach. Most locations were independently owned franchises, introducing complexities in managing payment security similar to past breaches at other restaurant chains. The stolen card batch potentially included data from multiple compromised eateries, though Sonic's involvement was confirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2017, Sonic Drive-In, a fast-food chain operating approximately 3,600 locations across 45 U.S. states, experienced a breach affecting an unknown number of store payment systems. The incident first came to light when financial institutions identified patterns of fraudulent transactions on cards previously used at Sonic locations. Cybersecurity investigator Brian Krebs reported on September 18, 2017, that approximately five million credit and debit card accounts tied to Sonic had been listed for sale on Joker's Stash, a prominent underground carding marketplace. Initial card uploads to this criminal platform occurred on September 15, 2017, with the full batch becoming available by September 26. Attackers compromised point-of-sale systems by installing malware designed to capture magnetic stripe data from payment cards, enabling thieves to clone physical cards for fraudulent purchases. The stolen cards were priced between $25 and $50 based on factors including card network, tier classification, debit/credit status, and issuing bank.
The breach's scope remained unclear, with indications that Sonic customer cards might have been mixed with those from other compromised restaurant brands. Sonic's predominantly franchised operational model—with approximately 90% of locations independently owned—introduced potential complexities in breach management, drawing parallels to the prolonged 2015-2016 Wendy's breach that affected franchisee systems. While Sonic acknowledged the breach publicly, specific details regarding detection methods, containment timelines, and remediation efforts were not disclosed in available reports. Financial institutions faced immediate impacts through fraudulent transactions and card reissuance costs, mirroring challenges experienced during previous restaurant sector breaches. The incident highlighted ongoing vulnerabilities in point-of-sale systems across franchise-based retail environments, where decentralized management structures can complicate coordinated security responses.