On October 4, 2017, SONIC Drive-In announced a massive data breach in its payment processing system. Based in Oklahoma City, the fast-food chain discovered a malware attack targeting specific locations and customers using debit and credit cards to pay for their meals. In a statement, SONIC expressed regret and delivered an apology to affected customers: “We regret that this incident occurred, and apologize for any inconvenience or concern it may cause.”
In an effort to help anyone affected by the breach, SONIC will provide two years of identity theft and fraud monitoring for free. The offer is open to anyone who used a debit or credit card to pay at any SONIC location. The no-cost credit monitoring service is only available if SONIC customers enroll before December 31, 2017.
Unfortunately, the stolen data is already up for sale on the dark web according to Brian Krebs of Krebs on Security. Identity fraud artists often purchase illegally obtained information in bulk during “fire sale” events after a major breach. The stolen identities are most valuable before the discovery of the attack, and hackers will often sell massive quantities of information for as little as pennies per person.
One of the most immediate effects of any corporate data breach impacts the company’s stock price. SONIC was no exception - the company suffered a 4.4 percent drop in its NASDAQ-listed shares after the announcement, the largest one-day price fall since August 8. SONIC’s data-breach public relations playbook is very similar to recent attacks at other large food chains such as Arby’s and Chipotle and many other American retailers.
It has been a difficult month for consumer privacy.
In the aftermath of the Equifax breach announced in September 2017, the coverage of financial crime and cyber-fraud is at an all-time high. Equifax recently announced a major data breach affecting hundreds of millions of Americans. At the time, the scope of the breach was relatively unknown, but in a statement on Tuesday, Equifax admitted to a higher number of affected U.K. residents, revising the number from 400,000 stolen U.K. identities to nearly 700,000. For more details on the Equifax debacle, read this article.
One thing is certain when data breaches make headlines. There is a common call-to-action for consumers to check their information.
SONIC recommended several things to ensure their customers were informed and protected. The advice from the fast-food giant included checking your statements for irregular transactions and requesting a credit report. Equifax offered free credit monitoring as well as other services such as credit freeze counselling and certain insurance packages.
Whether or not consumers are a victim of the SONIC breach, it’s a good practice to review credit reports on a regular basis to verify accurate information and check for fraud or mistakes. U.S. residents can also apply for their reports through the Federal Trade Commission.