Sonic Drive In was notified by its credit card processor that there was unusual activity involving cards used at their restaurants. It has hasn’t been determined what caused the Sonic hack. However, other POS terminal data breaches came about because of the lack of security associated with those companies’ third-party vendors. Do some of your partners have inside access to your website and server? If so, make sure that they too are consistently being monitored for security holes.
Sonic responded,“We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”
An article from Krebs On Security shares the following:
From my perspective, organized crime gangs have so completely overrun the hospitality and restaurant point-of-sale systems here in the United States. I just assume my card may very well be compromised whenever I use it at a restaurant or hotel bar/eatery. I’ve received no fewer than three new credit cards over the past year. I’d wager that in at least one of those cases I happened to have used the card at multiple merchants whose POS systems were hacked at the same time.
But no matter how many times I see it, it’s fascinating to watch this slow motion train wreck play out. Given how much risk and responsibility for protecting against these types of hacking incidents is spread so thinly across the entire industry, it’s little wonder that organized crime gangs have been picking off POS providers en masse in recent years.
I believe one big reason we keep seeing the restaurant and hospitality industry being taken to the cleaners by credit card thieves is that in virtually all of these incidents, the retailer or restaurant has no direct relationships to the banks which have issued the cards that will be run through their hacked POS systems. Rather, these small Tier 3 and Tier 4 merchants are usually buying merchant services off of a local systems integrator who often is in turn reselling access to a third-party payment processing company.
The Sonic attack is similar to what hit Wendy’s earlier this year. More than 1,000 of its locations were involved in a POS hack. Hackers stole specific payment card information including cardholder names, credit and debit card numbers, expiration dates, cardholder verification values, and service codes. With Wendy’s, the malicious actor accessed the POS terminals by compromising a third-party vendor’s credentials.
Other examples of POS terminal data breaches include Home Depot and Hilton Hotels.
Your website is safe if you and your third-party vendors are using Trust Guard’s Security Scanned services. But are your POS terminals safe? Contact us today to make sure your clients’ personal and credit card information is protected from hackers.
Tips for protecting POS systems
~ Perform consistent security scans within your website and server.
~ Ensure that your third-party vendors are also performing proper risk assessments within their digital ecosystem. Trust Guard can uncover weak security controls and work with the vendor to repair such issues before they are exploited.
Remember that your attack surfaces extend to third parties. If a breach occurs, you will bear the financial and reputational consequences. If a POS data breach it can happen to Sonic Drive In and countless others, it can happen to you.
Special thanks to SC Magazine and their article on the Sonic Drive In Data Breach.