Investigations are continuing into a massive Sonic data breach that has potentially impacted millions of its customers.

Sonic, an Oklahoma City-based restaurant chain with more than 3,600 franchise restaurants in the United States, was alerted to a potential breach by its card payment processor after a pattern of fraudulent purchases was identified and linked to the restaurant chain.

The Sonic data breach was first reported by Brian Krebs, who linked the listing of a batch of 5 million credit and debit card numbers on the cybercrime marketplace Joker’s Stash to a potential breach at Sonic.

Krebs reported that two individuals who had agreed to purchase credit card numbers from the seller both said the cards had previously been used in Sonic locations. After contacting Sonic to report the potential breach, Krebs was notified that the restaurant chain was investigating a potential breach.

Sonic has issued a statement saying it is working with law enforcement and has hired a third-party forensics firm to confirm whether its systems have been hacked, and if so, to determine the nature and scope of the breach.

At present it is unclear how many of the restaurants chain’s locations have been impacted or the number of customer’s that have had their card details stolen. While the batch of credit and debit card numbers listed for sale indicates the breach victim count could be as high as 5 million, it has yet to be established whether all of those card numbers came from the Sonic data breach. It is possible the list could be an amalgamation of data from several breaches.

The Sonic data breach has potential to be one of the largest POS data breaches to affect the hospitality industry, and is the latest in a string of cyberattacks on restaurants. Earlier this year Chipotle Mexican Grill experienced a breach that affected most of the chain’s restaurants. Arby’s and the Select restaurant chain have also announced major data breaches. Last year, a major breach of card details was reported by Wendy’s which affected more than 1,000 of its restaurants.

Restaurant chain data breaches typically involve malware installed on point-of-sale systems that collects and exfiltrates card details. The malware infections often go unnoticed for weeks or months. It is only when card processors notice trends in credit card fraud and alert specific restaurants or restaurant chains that the breach is identified. The malicious actors behind these breaches often hold on to the stolen data until a sufficiently large batch of card numbers have been obtained, before listing the data for sale on darknet marketplaces.

In this case, the card numbers from the Sonic data breach were selling for between $25 and $50 depending on the type of card. This is much higher than the usual cost of stolen card numbers, indicating the card details have come from a recent data breach with most of the cards yet to be cancelled.

Hackers can gain access to POS systems via email phishing attacks, by exploiting vulnerabilities using exploit kits, direct attacks on unpatched and out-of-date operating systems, brute force RDP attacks, or by infiltrating the systems of vendors that have legitimate access to restaurant networks. It was the latter that enabled hackers to gain access to Target’s system and steal credit card details of 40 million customers. The same was true of the Wendy’s breach. Hackers obtained the credentials of some of its service providers and were able to login and install malware.

Restaurants can reduce the risk of data breaches by complying with the Payment Card Industry’s Data Security Standard (PCI DSS), a list of 12 requirements spread across six control objectives. Those requirements include the use of spam filtering, web filtering solutions, and securing the Wi-Fi environment – the latter two can both be achieved by implementing WebTitan.