Skip to main content

Sonic's Data Breach: A Symptom of a Larger Issue

According to Hospitality Technology's 2017 Restaurant Technology Study, 38% of restaurants said enhancing payment and data security was a strategic goal for tech investment in 2017. While it was third in the top three strategic goals for restaurants, recent news headlines seem to indicate that restaurants might want to make payment and data security their number one priority in 2018.

According to Krebs on Security, Sonic is the latest victim of a massive data breach that could affect millions of credit and debit cards. It broke the news on Sept. 26 and Sonic confirmed in a statement on Sept. 27 that it was investigating "unusual activity" at some of its locations. The restaurant chain said it was alerted to the unusual activity the week prior by its credit card processor.

Oct. 1, 2017 will mark the 2-year anniversary of the EMV compliance deadline. According to Information Security Media Group, Sonic's vice president of public relations said the company has not adopted EMV at its restaurants "for a variety of reasons." Would EMV had made a difference in this particular data breach? Unlikely, as EMV is meant to stop card cloning. It is not effective at preventing malware from being installed on a point-of-sale system, which then reads and transmits the data to hackers.

Point-to-Point Encryption (P2PE), however, might have made a difference. According to the Ingenico Group, "P2PE is a security solution that protects card data as it’s transmitted through the payment process from start to finish. In the wake of high-profile credit card data breaches, which often exploit weaknesses in payment card systems, P2PE has become a standard method to secure card data from potential interception during payment processing. Using this method, payment card data is encrypted at the point of acceptance and is rendered inaccessible and unusable until it reaches its destination, even if a cyberattack can manage to intercept the encrypted data in transit."

Ingenico Group offers more insights and advice on breach protection in the column, "Prevent Restaurant Data Breaches with 4 Important Payment Technologies.”

According to Netsurion, there is the potential for a devastating threat of POS ransomware. Right now, credit card numbers are being sold on the dark web for relatively low sums of money. It's estimated that the Sonic credit and debit card numbers are going for approximately $25 to $50 each. But cybercriminals may want larger sums of money all at once. So instead of just stealing credit and debit cards, they could deploy ransomware that shuts down a POS system completely, bringing the business and its revenue to a halt. This would likely prompt the stores to pay the ransom right away allowing the criminals to profit right away.

A similar situation happened in January when cyber criminals used ransomware to lock a hotel's electronic key system, reservation system and cash desk system. Guests could not open their rooms with existing keycards and new keycards could not be made. The hotel decided to pay the ransom.

According to Cybereason, one of the best practices for any company to employ in order to help prevent ransomware attacks includes educating employees on how malware and ransomware can accidentally be downloaded by staff. The company goes on to say, "Malware often hides in unlikely places such as pirated software, file attachments, web links, and suspicious emails. Spam filters are a great start, but unfortunately this line of defense will not catch every new threat."

Cyberreason offers more insights and advice for preparing and responding to ransomware in the article, "Ransomware: One of Hospitality's Biggest Threats in 2017."

Netsurion offers the following as steps hotels and restaurants should take to protect themselves from card-siphoning malware and ransomware attacks:


Deploy a managed firewall (which can detect malware entering and sensitive data exiting the network)

File integrity monitoring (to tell you when files have changed that weren’t supposed to change)

Unified threat management appliances (used to integrate security features such as firewall, gateway antivirus, and intrusion detection)

Security information and event management, ideally with dormant malware hunting capabilities (used to centrally collect, store, and analyze log data and other data from various systems to provide a single point of view from which to be alerted to potential issues)

Managed detection and response (brings advanced threat detection and response specifically to the POS systems to reduce malware detection gap and incident response times)

Next-generation endpoint security solutions (used to stop attacks on the endpoint computers and servers before they can wreak havoc on other systems)

This ad will auto-close in 10 seconds