Sonic’s Data Breach: Why Are Credit Cards Still Getting Hacked?

On Wednesday, a data breach at drive-in food chain Sonic jeopardized the security of credit cards from up to 5 million customers, whose accounts are being “peddled in shadowy underground cybercrime stores,” website Krebs on Security informed.

Initial rumors of a data breach occurred last week when multiple financial institutions began noticing a suspicious pattern of transactions using cards that were previously used at Sonic, the website noted. The company’s credit card processor confirmed the breach of Sonic’s cash registers, known today as point-of-sale terminals, but it remains uncertain whether it has targeted a small portion of these drive-ins or the entire 3,600 locations across 45 U.S. states.

“We are working to understand the nature and scope of this issue, as we know how important this is to our guests,” Sonic said in a statement. “We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we’re able.”

Sonic’s stocks tanked following the data breach confirmation. According to Bloomberg, the company’s shares dropped at least 4.4 percent to $23.53 as of Wednesday morning, its biggest decline in nearly two months. Sonic’s stock was down 7.2 percent this year until Tuesday’s close, Bloomberg added.

Data breach is one of corporate America’s worst nightmares. In 2013, Target confirmed a credit-card attack that involved up to 40 million accounts, while Home Depot reported in 2014 that a vendor’s stolen log-in information to access the company’s computer network gathered information from 56 million credit and debit cards in the U.S. and Canada.  

So, the question looms large: Why credit cards keep getting hacked?

Experts indicate that security measures must be analyzed from the viewpoint of the customer and retailer alike. Jeremy Hajek, industry associate professor at the Illinois Institute of Technology, told Newsweek that American companies and banks have moved slowly to incorporate stricter security standards.

“In America, we don’t use the PIN and chip, here we just use the chip and the signature [at the end of the transaction]. But when was the last time vendors checked the signature on the back of your card? Depending on the store, they will check your signature, but very few of them do that,” Hajek said.

Hajek added that it is up to a company to enforce additional rules, “but customers may not have the patience to go through another technology or security steps.”

Online security and devices connected to it are fairly new concepts for companies, according to Ryan O’Leary, vice president of Threat Research Center and Technical Support at WhiteHat Security. “Protecting such infrastructure is something that [companies] do not have the appropriate funding to do,” he told Newsweek, adding that services provided by a security expert can cost more than $100,000 a year.

In fact, money and time pose a hurdle for companies to implement a state-of-the-art structure. It takes time to securely rebuild point-of-sale systems while shifting from magnetic stripe cards to safer chip cards, as USA Today reported in June. Companies need money to hire technical staff to secure networks, purchase new and encrypted point-of-sale machines and software to maintain security, USA Today noted. 

Also critical is the lack of human talent dedicated to security, as well as scarce knowledge from the web developer’s stance. Developers create coding and applications on retailers’ websites without understanding much about security, thus making the page vulnerable to attacks, O’Leary said.

Security around transactions has become an oxymoron for many retailers and companies. “The user controls the interaction within a website as he or she buys products, and while companies want people to purchase online they still have to protect themselves from users. That’s a tough thing to do from a technological standpoint,” O’Leary added.

It remains to be seen whether future data breach can be prevented, so the best way for customers to protect their information is to make their behavior more static, Hajek said. “You can get cards that limit a particular pattern, such as buying gas or flowers,” he said. “Dedicate a credit card to four or five transaction limitations. Eyeballing any weird transactions is always a good method.”  

Join the Discussion