Skip navigation

Sonic says payment cards might have been hacked

Company offering 24 months of identity theft protection

Sonic Corp. on Wednesday said that credit and debit card numbers might have been compromised in a malware attack at some of its locations.

The Oklahoma City-based drive-in chain also said it is offering two years of free fraud and identity theft protection for customers who used their cards at its locations.

The offer is through Experian’s IdentityWorks program. Consumers have until Dec. 31, 2017 to register and enroll through

The acknowledgement and the offer came one week after the 3,600-unit quick-service chain acknowledged that its credit card processor notified the company of unusual activity on cards used at Sonic.

The data security blog Krebs on Security first reported the breach last week.

Sonic stock fell 2 percent on Wednesday.

It’s uncertain how many locations were affected by the breach, or the nature of the attack — whether it came through the company’s point-of-sale system, or whether hackers used remote access software to install malware that collects those numbers.

“It appears that credit and debit card numbers used at certain Sonic Drive-In locations may have been impacted,” the company said.

Sonic said that it has been working with law enforcement in investigating the breach with the help of third-party forensic firms.

“We regret that this incident occurred, and apologize for any inconvenience or concern it may cause,” the company said.

The breach was the latest in a series of recent data security incidents, including a breach involving the now Amazon-owned Whole Foods, and a breach involving the credit reporting firm Equifax.

Numerous restaurant chains in recent years have been victims of data security incidents, including Shoney’s, Arby’s and Chipotle Mexican Grill Inc. earlier this year.

Contact Jonathan Maze at [email protected]

Follow him on Twitter at @jonathanmaze

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.