Sonic customer card information may have been compromised
Sonic Corp. on Wednesday confirmed “unusual activity” with credit cards used at some of its restaurants following reports that customer credit card information may have been stolen.
The Oklahoma City-based restaurant operator said its credit card processor last week told the company of the unusual activity with cards that had been used at Sonic restaurants.
Sonic spokeswoman Christi Woodworth said the company is working with thirdparty forensic experts and law enforcement officials and that an investigation is underway. She said it is unclear how many or which stores were affected.
Sonic has more than 3,500 locations in 44 states.
“We are working to understand the nature and scope of this issue, as we know how important this is to our guests,” the company said in a statement. “While law enforcement limits the information we can share, we will communicate additional information as we are able.”
The data breach was first reported by security news website Krebs on Security, which said cards used recently at Sonic locations may be among a batch of more than 5 million credit and debt card accounts listed for sale on a credit card theft website earlier this month.
The announcement follows two weeks after credit ratings agency Equifax said hackers gained access to personal data of up to 143 million Americans.
Hamburger maker Wendy’s last year said hackers stole customer credit and debit card information from more than 1,000 of its U.S. locations.
Lawsuit filed
Sonic’s apparent data breach already has drawn legal action. Edmond resident Brian Huffer on Wednesday filed a lawsuit against the company and is asking the court for classaction status.
The lawsuit claims Sonic was negligent “for its failure to secure and safeguard consumers’ personally identifiable information.”
Oklahoma City attorney William B. Federman said he filed the lawsuit within hours of the first news reports to better protect his client and other Sonic customers.
“The reason to file quickly is to get ahead of the curve and work with the company and make sure the company is doing everything it can to protect its customers’ financial data,” Federman said.
The lawsuit cites recent data breaches at Wendy’s and Chipotle and states that Sonic should have learned from those situations and installed better protection on its systems. Federman also said the company should have notified customers as soon as it learned of the data breach.
“Why did it take a week? That’s one week when consumers could have taken action to protect themselves,” he said.