Fast food chain Sonic, which has more than 3,500 locations in 44 states has acknowledged that it had a data breach in its credit card processing systems at an undisclosed number of its restaurants potentially affecting what appears to be at least 5 million credit and debit cards. As is often the case in massive data breaches, such as this, the hackers are now selling the stolen credit card and debit card numbers along with the zip codes of the card holders on the Dark Web, which is that part of the Internet where criminals buy and sell things. The website Joker’s Stash is selling five million credit and debit cards for prices of between $25 and $50 per card, depending on various factors including the level of the credit card and whether it is a debit or credit card. The fact that zip codes are including in the information being sold makes the card more valuable to a criminal who may use the card for fraudulent purposes in the geographical area where the victim lives in order to avoid having the purchase look suspicious, such as in the situation where the card holder lives in New York City and a credit card purchase occurs in Singapore.
Like many credit card and debit card data breaches, this one was made possible due to the fact that Sonic stores affected do not yet use the more secure EMV chip credit card and instead still use the old style magnetic strip credit card.
If you have used a credit or debit card at a Sonic restaurant during the last six months, you should carefully review all of your credit and debit card purchases for indications of fraudulent use and if you find such use, report it to your credit card company or, in the case of a debit card, to your bank.
Until businesses that take credit cards switch to the newer EMV chip cards, this story will continue to occur again and again. There is no law requiring companies to switch to the EMV chip cards. The mandate of retailers to do so is only a trade group regulation. As for us, as consumers, the best thing we can do is to refrain from using our debit cards for anything other than as an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases. Frankly, even if you were not a Sonic customer you should regularly monitor your credit card statements for indications of fraudulent use.