Sonic and Whole Foods disclose data breach details

Whole Foods announced on September 28 that hackers gained unauthorized access to credit card information stored within its point-of-sales (POS) system. Hackers targeted the POS system used in taproom and full-table service restaurants at some, but not all, Whole Foods stores. The breached POS is separate from the main checkout system, which was not affected.

You can visit the Whole Foods website to see if a store where you shop was hacked.

Upon discovering the breach, Whole Foods launched an investigation, enlisting the help of a cybersecurity forensics firm. Whole Foods also contacted law enforcement and is now taking appropriate cyber safety measures.

Amazon purchased the Whole Foods grocery chain in late August for $13.7 billion. Since Amazon does not use Whole Foods’ POS system, transactions were not affected.

Sonic acknowledges that millions of customers had credit card data stolen in breach

Fast-food chain Sonic Drive-In disclosed on September 26 that hackers stole the credit card information of millions of its customers. The number of consumers whose personal data was compromised is unknown at this time.

Internet security authority Brian Krebs first reported on the Sonic breach during the third week of September. Sources at multiple financial institutions told him that a significant number of fraudulent transactions were made, all with credit cards recently used at Sonic.

Krebs also saw evidence that five million credit and debit cards were put up for fire sale – goods or assets offered at a very low price – on the black market. Many of the credit card numbers on the list (codenamed ‘Firetigerr’) are linked to the Sonic cyber attack. The credit card numbers are indexed by city, state, and zip code, making it easy for cyber criminals to exploit personal data at a local level. The credit card numbers are being sold, most likely within a network of underground, credit-theft websites.

Krebs contacted Sonic for a statement and the company responded quickly, revealing that its credit card processor detected the unusual credit card activity about the same time he started hearing about it. The company immediately launched a cyber theft investigation, notified authorities and enlisted third-party forensic experts.

Most of Sonic’s 3,500 restaurants rely on the breached POS system as part of an upgrade it started three years ago. Based in Oklahoma City, Sonic serves approximately three million customers per day within 44 states. Sonic’s disclosure of the breach meant that by Wednesday, September 27, its stock price dropped approximately 4.4% to $23.52.