Sonic Drive-In Credit-Card Breach: What to Do

UPDATED Oct. 5 with confirmation of breach from Sonic, and offer of free credit monitoring for potential victims.

If you've used your credit card at a Sonic Drive-In restaurant recently, better check your statements. The entire fast-food chain, or at least a significant part of it, may have suffered a credit-card breach, according to independent security reporter Brian Krebs.

A Sonic restaurant in Costa Mesa, California. Credit: Ken Wolter/Shutterstock

(Image credit: A Sonic restaurant in Costa Mesa, California. Credit: Ken Wolter/Shutterstock)

The company confirmed to Krebs that there had been "unusual activity regarding credit cards used at Sonic," but couldn't confirm how many cards might be affected, how many of the roughly 3,500 Sonic restaurants might be involved, or whether there had even been a breach at all.

Nonetheless, if you have used a card at Sonic within the past six months, call the service number on the back of the card and use the automated menus to check your recent transactions. If there are transactions you don't recognize, notify the card issuer immediately.

MORE: What to Do If Your Credit Card Is Stolen

Krebs said he heard last week that 5 million newly stolen credit-card numbers had been put up for sale in an online "carder" market called Joker's Stash. A screenshot from yesterday (Sept. 26) showed a listing boasting that the cards came from "almost all USA states."

Who's Impacted

The Oklahoma-based Sonic chain has restaurants in 45 U.S. states — all but Alaska, Hawaii, Maine, New Hampshire and Vermont. It features traditional American fast food, such as burgers, milkshakes and hot dogs, served by wait staff on roller skates to customers waiting in cars or outdoor tables.

Not a hedgehog, but it should check its credit-card statements anyway. Credit: Sonic Restaurants, Inc.

(Image credit: Not a hedgehog, but it should check its credit-card statements anyway. Credit: Sonic Restaurants, Inc.)

The cards being sold are part of a set called "Firetigerrr" by the seller, and are being offered for between $25 and $55, depending on whether they are credit or debit, their status level (standard, business, platinum, etc.) and their issuing bank. A screenshot of cards being offered that Krebs posted listed 11 cards issued in Texas, North Carolina, Arkansas, Louisiana, Virginia, Georgia and Washington state.

Krebs noted that the relatively high individual price — U.S. payment cards often sell for less than half those prices — might be due to the recentness of the breach.

Krebs got two of his contacts to buy some cards from the Firetigerrr set. Both contacts confirmed that all the cards they'd purchased had been used at Sonic restaurants recently. (Legally questionable as buying stolen card numbers may be, it's something that big banks routinely do to get information about credit-card theft.)

However, it's also possible that the cards could have been stolen from another retailer that happens to have a lot of customer overlap with Sonic.

It's not clear how a breach might have happened, but the presence of cards from a wide geographical area makes it improbable that the card numbers were stolen by unscrupulous cashiers. With a breach of this size and scope, it's more likely that criminals broke into some part of a back-end payment-processing system, as happened in the massive Target credit-card breach in 2013.

What Happens Next

If the Sonic breach is for real, it may take some time to confirm. Most Sonic restaurants are owned by franchise businesses independent from the Sonic Corporation, and the company would have to collect information from each of franchisee.

The stolen card information can be used to make purchases online or to "clone" new cards by replicating the data on a card's magnetic stripe.

Online retailers are supposed to prevent this kind of fraud by requiring purchases to input a three- or four-digit number printed on the card, but not included in the card's electronic data. However, many online retailers don't ask for that number.

Brick-and-mortar retailers are supposed to upgrade to chip-and-signature cards that are much harder to replicate than magnetic-stripe cards, but, as anyone who's shopped in the United States recently knows, many retailers don't accept chip cards yet.

If your card ends up being part of the possible Sonic breach, don't panic. Just inform your card issuer ASAP (within two days if it's a debit card) and you won't be responsible for fraudulent transactions.

Payment-card theft generally has little impact on the end user, other than having to replace the card itself. Breaches of personal information, such as the Equifax data breach disclosed earlier this month, are much worse and have much longer-lasting effects.

UPDATE Sept. 27: Tom's Guide reached out to Sonic and received the same comment that was provided to Brian Krebs. Here it is in full:

"Thank you for the opportunity to respond to your inquiry. Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC.

The security of our guests' information is very important to SONIC.  We are working to understand the nature and scope of this issue, as we know how important this is to our guests.  We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able."

UPDATE Oct. 5: Sonic Drive-In confirmed the breach and offered two years of free credit monitoring, provided by Experian's Identity Works, to anyone who used a credit or debit card at a Sonic restaurant since Jan. 1, 2017.

Sonic did not say how many customers or restaurants might be affected, when the breach began or how the attackers got into Sonic's payment systems.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.