Restaurant Data Breach Hits 10 StatesZaxby's Says Card Data Possibly Exposed at 108 Sites
The Zaxby's restaurant chain has notified federal authorities of a computer system and point-of-sale breach that has so far affected 108 locations in Florida, Kentucky, Georgia, South Carolina, Alabama, Mississippi, Tennessee, North Carolina, Virginia and Arkansas.
See Also: The Global State of Online Digital Trust
The source of the attacks was not disclosed in the Jan. 11 breach statement issued by Zaxby's Franchising Inc., but the restaurant chain says compromised computer systems at certain locations were found to have malware and other suspicious files stored locally. Those compromised systems were discovered during an internal forensics investigation the restaurant chain initiated after several of its locations were identified as commons points of purchase for payment cards linked to fraudulent activity by one of the major credit card brands, Zaxby's spokeswoman Debbie Andrews says.
"The files that have been identified as part of our forensic investigation are malware files that appear to be designed to collect and transmit credit and debit card information," she says. "Zaxby's Franchising Inc. is not certain at this point exactly how these files were installed on the systems of the affected restaurants. However, based upon the information that we have at this time, it does not appear that the malware files were spread through a common network."
Andrews says the systems that were breached include a combination of locally managed computer and POS systems.
"Zaxby's Franchising Inc. is requiring each of its licensees to engage an industry leading provider of PCI compliance services to provide enhanced firewalls, system monitoring and PCI compliance services," she says.
Zaxby's has 567 locations in 13 states, and franchises have various payments processors, Andrews explains.
Zaxby's notes in its Jan. 11 breach notice that no evidence has yet been found to suggest card data was exposed.
Still, the presence of suspicious files poses a risk that both customer names and card numbers could have been inappropriately accessed, the company states.
"Certain licensed locations have identified suspicious files on their systems that may have resulted in unauthorized access to credit and debit card information, or have been identified by credit card processing companies as common points of purchase for some fraudulent activity," Zaxby's says. "Zaxby's Franchising Inc. has notified appropriate law enforcement authorities of the potential criminal activity, which is believed to have originated from external sources."
Malware Likely Attacked Single Location
Gartner analyst Avivah Litan, a fraud expert, says Zaxby's description suggests the restaurant breach stems from a localized malware attack that infected local computers.
"I don't have any first-hand knowledge of this incident, but this definitely sounds like a computer network attack," Litan says. "[It could be] self-propagating malware that was on the hardware of the computers."
Litan says during such an attack, cached files stored locally could have been exposed, proving that even when payments systems and processing equipment is in compliance with the Payment Card Industry Data Security Standard, attackers can exploit other gaps.
"Names are never typically part of anything anyone stores when processing or authenticating [a card payment] transaction," she adds. "That information is not on track 1 or track 2 [of a card's magnetic stripe], and a restaurant wouldn't need to have that information in its POS system."
Two types of attacks can expose card data and/or personally identifiable information about cardholders, Litan says. One is an attack aimed at the POS system's authorization stream; the other is an attack against a retailer's network or computer system, which affects a database that has stored or temporary files containing sensitive information.
"Now the weak link is what they're doing locally, and what they're storing on systems that run parallel to the POS," Litan says. "That's not to say we still don't have holes out there in processing to address; but in this particular case, it sounds like what they were doing locally was the issue."
Zaxby's says it's working with locations to notify potentially affected customers that their bank accounts should be monitored, but it makes no mention of providing identity theft assistance or protections. It also is requiring all of its locations to work with an unnamed national security expert to provide "ongoing aggressive security resources," Andrews says.
Other Recent POS Breaches
This is the latest in a string of recent POS breaches that have impacted payment card customers and card-issuing financial institution.
In December, College Point, N.Y.-based Restaurant Depot discovered a POS network breach that affected a yet-to-be-determined number of cardholders in several states.
The company issued a notice to potentially affected customers in the compromised states.
"At this point, all we know is that our system was hacked and that only card numbers were exposed," Richard Kirschner, president of Restaurant Depot and chief operating officer of parent company Jetro Holdings, told BankInfoSecurity in late December. "It was not an individual POS hack, but we know our system was hacked. Each store has a unique password for network access, so we're still trying to figure out how they got in. It will take time; this was very sophisticated."
The breach was the second breach to strike Restaurant Depot in the last year. A similar breach hit the wholesaler's POS network in 2011 and exposed more than 200,000 cardholders.
Barnes & Noble did not say when the breach was discovered, but said it had determined through an internal investigation that the compromise was linked to device tampering at stores in California, Connecticut, Florida, Illinois, Maine, New Jersey, New York, Pennsylvania and Rhode Island.
"The tampering, which affected fewer than 1 percent of PIN pads in Barnes & Noble stores, was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases," the company said. "This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads."
In 2011, restaurant chain Penn Station also reported a payments breach that affected 80 of its franchised locations. Penn Station never revealed the source of the breach, but industry experts say it was most likely linked to a network attack, similar to the attack that struck more than 150 Subway franchises between 2008 and 2011.