Sonic Drive-In says ‘malware attack’ may have compromised fast-food customer payment data

Sonic Drive-In has acknowledged a security breach likely affected customers who recently used their credit and debit cards at the popular fast-food chain.

An undisclosed number of Sonic customers may have had their financial information compromised as the result of a recently discovered “malware attack,” the company announced Wednesday.

“Upon learning of this matter, we immediately contacted law enforcement and have been working with them in their investigation. We also immediately began our own investigation with the help of experienced third-party forensics firms,” Sonic said in a statement.

Sonic’s statement did not specify how many locations and customers were affected by the breach or when, but the chain boasted nearly 3,600 locations in 45 states as of 2016.

Customers who used their cards at any Sonic locations this year can receive 24-months of complimentary fraud detection and identity theft protection on the chain’s behalf, according to the statement.

“Your trust in Sonic is important to us and we sincerely regret any inconvenience this may cause,” the statement said.

Sonic’s admission of an unspecific “malware attack” came a full week after cybersecurity journalist Brian Krebs first reported that millions of stolen credit and debit card accounts were being sold on the dark web, and that banking industry sources told him that several of the cards had recently been used at Sonic locations.

Sonic told Mr. Krebs at the time of his initial report that it was recently made aware of “unusual activity” involving its customers’ credit cards, but the company refrained from confirming a full-fledged security breach prior to Wednesday’s statement.

“Notice of this incident was briefly delayed accommodating law enforcement’s investigation. We regret that this incident occurred, and apologize for any inconvenience or concern it may cause,” Sonic said Wednesday.

Sonic’s security breach marks the latest in a series of similar incidents suffered by American eateries in recent months. Chipotle said in May that a data breach compromised customer payment data from mots of its more than 2,000 locations, and Wendy’s announced in July that over 1,000 of its own restaurants had been subjected to “highly sophisticated”, criminal cyberattacks.”