Whole Foods, Sonic Suffer Major Payment Card Breaches


Two U.S. companies recently acknowledged high-profile point-of-sale (PoS) breaches that affected an unknown number of customers.

On September 26, investigative reporter Brian Krebs announced that the fast food chain Sonic Drive-In, which has almost 3,600 locations across the U.S., had acknowledged a breach impacting an unidentified number of its locations' PoS systems.

The breach appeared to match a supply of approximately 5 million credit and debit card details that were being offered for sale at the cybercrime forum Joker's Stash for $25 to $50 each.

In a statement provided to Krebs, Sonic said, "Our credit card processor informed us last week of unusual activity regarding credit cards used at Sonic. The security of our guests' information is very important to Sonic. We are working to understand the nature and scope of this issue, as we know how important this is to our guests."

"We immediately engaged third-party forensic experts and law enforcement when we heard from our processor," the company added. "While law enforcement limits the information we can share, we will communicate additional information as we are able."

Sonic vice president of public relations Christi Woodworth told Krebs the company hasn't yet been able to determine which of its locations are impacted.

Tripwire principal security researcher Travis Smith told eSecurity Planet by email that all companies using point of sale systems need to isolate and lock down the devices as much as possible. "Point of sale terminals are typically low change system environments," he said. "Implementing whitelisting technologies and closely monitoring for any change can both prevent and detect any potential attacks."

"In the event of a compromised terminal, again these systems talk to predictable destinations both internally on the network as well as externally on the Internet," Smith added. "Isolating the network and only allowing communication to approved destinations will greatly reduce the overall attack surface of these devices."

Whole Foods Market

Separately, on September 28, Whole Foods announced that it had learned of unauthorized access to payment card information used at taprooms and restaurants in some of its stores. Because those venues use a different PoS system than Whole Foods' store checkout systems, the company said its checkout systems were not affected.

"When Whole Foods Market learned of this, the company launched an investigation, obtained the help of a leading cyber security forensics firm, contacted law enforcement, and is taking appropriate measures to address the issue," the company said.

Since Whole Foods was recently acquired by Amazon.com, the statement noted that Amazon.com systems don't connect to the affected PoS systems. "Transactions on Amazon.com have not been impacted," Whole Foods said.

According to Gizmodo, a Whole Foods spokesperson said approximately 117 locations were impacted, though it's not clear how long they were impacted for, or how many customers may be affected.

A list of affected locations can be viewed here.

"Hackers are constantly looking for the path of least resistance to sensitive data," CyberGRX CEO Fred Kneip said by email. "As digital ecosystems expand, that path frequently goes through a third-party vendor, supplier or contractor -- in this case, a point-of-sale vendor."

"If a chain is only as strong as its weakest link, large enterprises have thousands of links that can be exploited," Kneip added. "Organizations need to develop a real-time understanding of which third parties in their network pose the biggest threat to the data they are entrusted to protect so that they can proactively work to resolve third-party cyber risk issues before they turn into problems that impact their reputation and bottom line."

The Impact of a Breach

A recent Kaspersky Lab survey of more than 5,000 businesses in 30 countries found that the total impact of a data breach in North America now adds up to $1.3 million for enterprises, up from $1.2 million in 2016.

In response, the share of IT budgets devoted to security is growing -- it's currently 18 percent, up from 16 percent in 2016.

At the same time, the total IT budget is shrinking, and as a result, the average IT security budget for enterprises worldwide dropped precipitously from $25.5 million in 2016 to $13.7 million in 2017.

"While cyber security incidents involving third parties prove to be harmful to businesses of all sizes, their financial impact on a company has the potential to result in twice as much damage," Alessio Aceti, head of the enterprise business division at Kaspersky Lab, said in a statement.

"This is because of a wider global challenge -- with threats moving fast, but businesses and legislation changing slowly," Aceti added. "When regulations like GDPR become enforceable and catch up with businesses before they manage to update their policies, the fines for non-compliance will further add to the bill."