Sonic Drive-In, a popular fast food restaurant with more than 3,600 locations across the United States, acknowledged it suffered a breach of its computer systems that resulted in the credit card numbers of customers being stolen.

The company confirmed Wednesday reports that it fell victim to a malware attack. Sonic has yet to identify which locations were affected by the breach or specify how many of its restaurants were infected with the information-stealing malware.

Word of the breach first began to surface last week when information security journalist Brian Krebs noticed new collections of credit card details appearing on dark web marketplace and forums. The cards appeared to come from Sonic customers, he reported.

In a blog post published Wednesday, IBM’s X-Force division—a group of experts who specialize in identifying and tracking banking trojans and financial breaches—confirmed that Sonic fell victim to an attack. The company issued its own confirmation later in the day.

In a press release, Sonic said it “discovered that credit and debit card numbers may have been acquired without authorization as part of a malware attack experienced at certain Sonic Drive-In locations.” Details beyond that were sparse. The company provided no details as to the scope of the breach, nor any information about how long the malware was present on its system.

The experts at IBM suggest the exposure could have been ongoing for more than a week. The group found a dark web shop that was offering batches of cards dating back as early as September 15. The breach wasn’t reported for at least 11 days after that initial batch of stolen cards appeared and Sonic didn’t acknowledge the attack for about 19 days from that date.

While Sonic hasn’t provided much by way of detail about the breach, information from the dark web shows that the attack spanned across multiple locations in a number of different states, suggesting the infection could have been widespread throughout the Sonic chain.

Sonic is far from the first restaurant to be hit by a credit-card stealing, point of sales malware. Earlier this year, thousands of Chipotle restaurants fell victim to a similar infection that siphoned off customer payment information from nearly every one of the chain’s locations. Several dozen Shoney’s locations suffered a similar fate this year as well.

Javvad Malik, security advocate at cyber security firm AlienVault, said the Sonic breach “once again highlights the importance of having adequate threat detection controls on the network as well as critical endpoints to detect any compromises, exfiltration of data, or strange patterns.”

Malik suggested investing in threat intelligence could have also helped improve the response to the Sonic breach, as the organization would have been able to monitor activity on the dark web and notice if there were any mentions of the company’s name or assets.

In response to the breach, Sonic is offering customers the ability to enroll in 24 months of free fraud detection and identity theft protection services through the IdentityWorks program offered by credit reporting firm Experian.

The service appears to be available to just about anyone who may have used a credit card to pay for food at a Sonic Drive-In location, given the company has yet to provide any specifics as to which locations may have been affected and a timeframe for the infection.

RELATED STORIES
Security Security Security Ransomware