Two U.S. companies recently acknowledged high-profile point-of-sale (POS) breaches that affected an unknown number of customers.
On September 26, investigative reporter Brian Krebs announced that the fast food chain Sonic Drive-In, which has almost 3,600 locations across the U.S., had acknowledged a breach impacting an unidentified number of its locations’ PoS systems. The breach appeared to match a supply of approximately 5 million credit and debit card details that were being offered for sale at the cybercrime forum Joker’s Stash for $25 to $50 each.
In a statement provided to Krebs, Sonic said, “Our credit card processor informed us last week of unusual activity regarding credit cards used at Sonic. The security of our guests’ information is very important to Sonic. We are working to understand the nature and scope of this issue, as we know how important this is to our guests.”
“We immediately engaged third-party forensic experts and law enforcement when we heard from our processor,” the company added. “While law enforcement limits the information we can share, we will communicate additional information as we are able.”
Separately, on September 28, Whole Foods announced that it had learned of unauthorized access to payment card information used at taprooms and restaurants in some of its stores. Because those venues use a different PoS system than Whole Foods’ store checkout systems, the company said its checkout systems were not affected.
“When Whole Foods Market learned of this, the company launched an investigation, obtained the help of a leading cyber security forensics firm, contacted law enforcement, and is taking appropriate measures to address the issue,” the company said.
Since Whole Foods was recently acquired by Amazon.com, the statement noted that Amazon.com systems don’t connect to the affected PoS systems. “Transactions on Amazon.com have not been impacted,” Whole Foods said.