September 26, 2017

Sonic Drive-In breached, 5M cards possibly exposed

Credit unions should take note of a recently disclosed data breach at Sonic Drive-In, which may have led to some five million credit and debit cards being exposed. The fast-food chain has 3,600 locations across 45 states.

KrebsOnSecurity reported the breach yesterday afternoon.

"American consumers deserve better from the companies they've entrusted with their financial information," said NAFCU President and CEO Dan Berger. "Our country should already have a national data security standard in place for retailers and merchants, but we don't and it's extremely frustrating. How many more data breaches do consumers need to suffer before these companies are held accountable?"

Brian Krebs, author of KrebsOnSecurity, said he was alerted to the breach by several financial institution representatives who began noticing a pattern of fraudulent transactions on cards that had all been used at the eatery. Sonic Drive-in confirmed that it was investigating a "potential incident."

Berger, who is quoted in the Krebs article, reiterated that it is credit unions and other financial institutions that help consumers after a merchant data breach. "It's going to be the financial institution that makes them whole, that pays off the charges or replaces money in the customer's checking account, or reissues the cards, and all those costs fall back on the financial institutions," he said.

This comes on the heels of the recent data breach at Equifax that revealed personal information of 143 million consumers.

NAFCU continues to push for Congress to pass a strong national data security standard for retailers that would hold them to the same standards credit unions already follow under the Gramm-Leach-Bliley Act. Credit union representatives can reach out to their members of Congress and urge them to support such a measure through NAFCU's Grassroots Action Center.