Content, Americas, Breach, Channel markets, Malware

Sonic Drive-In Breach: Is Cybersecurity Crisis Communications on the Menu?

Sonic Drive-In has confirmed a breach involving the fast food chain's point of sale (POS) systems, according to KrebsonSecurity. Pundits speculate that the breach could involve malware fetching information from 5 million credit cards, but Sonic is still investigating the breadth of the breach.

According to a Sonic statement sent to Krebs:

“Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC. The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”

As of Sept. 27 at 2:04 p.m. ET, Sonic's corporate website did not specifically mention the breach.

Chatter about the breach initially pressured Sonic's stock today, but shares have since rebounded -- they're actually up 1.2 percent as of 2:04 p.m. ET today. Sonic Drive-In, based in Oklahoma City, Oklahoma, had roughly 3,600 restaurants across the United States as of mid-2016.

Cyber Breach Crisis Communications

Sonic could face intense public scrutiny over the next few days and weeks. The breach comes the same month that the SEC and Equifax each stumbled with breach disclosure processes. In Equifax's case, the company's CEO, CIO and CISO each retired after Equifax struggled to accurately describe a breach involving 143 million customer identities.

The key lesson: Getting hacked is bad. But don't add insult to injury... Fumbling communications about the hack can trigger intense shareholder and regulatory concerns.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.