Sonic Drive-In Payment Systems Breached

The fast-food chain Sonic Drive-In acknowledged a breach of its payment systems to Krebs On Security, but the company is still looking into the scope.

The chain operates more than 3,500 locations in 44 states, most of which are franchised, according to the company’s site. The company said it’s working with third-party investigators and law enforcement after a credit card processor flagged “unusual activity regarding credits cards used at Sonic.”

On Tuesday, Krebs on Security reported payment information from accounts previously used at Sonic locations appeared in a batch of more than 5 million credit and debit cards for sale on a website called Joker’s Stash. Customers can sort through the payment information to find cards used at nearby locations and can purchase them for $25 to $50.

Krebs pointed out that the batch may include account information stolen from other companies.

After disclosing the breach, Bloomberg reported Sonic’s stock dropped 4.4 percent to $23.42, the biggest drop in two months.

Sonic hasn’t shared details about its breach yet, but point-of-sale intrusions are a popular way for hackers to steal payment information from the hotel, retail and food services industries. Verizon’s 2016 Data Breach Investigations Report found 534 incidents of point-of-sale intrusions, 525 of which lead to data disclosure.