Credit: Thinkstock via Computerworld
Another sizeable payment card data breach has been discovered at a U.S. restaurant chain.
In the latest example, several high-end eateries run by Select Restaurants in Cleveland were the victims of fraudulent cards used by customers at its restaurants, according to a report posted Thursday on KrebsOnSecurity, a reliable site written by reporter Brian Krebs. Krebs said he learned about the case from anti-fraud teams at multiple financial institutions investigating "a great deal of fraud on cards used at a handful of high-end restaurants around the country."
A month ago, hundreds of Arby's restaurants were affected by a breach in their payment systems, Krebs reported. In January, Popeyes restaurants acknowledged it was also hit last summer, in a similar breach. Wendy's reported being hit last summer as well.
Fraud from stolen credit and debit cards seems to be happening regularly at U.S. restaurants where older magnetic stripe cards are still sometimes in use instead of more secure chip cards. But even PIN and chip cards can't be defended against the kind of internal POS breaches that occurred at Select Restaurants, said Gartner analyst Avivah Litan.
"Chip and PIN won't do anything to stop breaches -- the data can just as easily be stolen," she said Friday. Chip and PIN will, however, thwart the reuse of card data when a thief tries to buy something at another physical location, she said.
Card breaches at retailers and restaurants continue happening in the U.S., Litan said. "The cases have only gotten drowned out in the news" because of election hacking and "other cyber espionage," she said. "It turns out that some of the same hackers who break into restaurants to steal credit cards are also conducting cyberespionage and other political activities on behalf of the Russian government. This was documented in the recent Yahoo breach arrests."
The extent of the fraud, in dollars or total victims, at Select Restaurants was not disclosed. Select Restaurants did not respond to a request for comment. The company owns eateries including Boston's Top of the Hub, Parker's Lighthouse in Long Beach, Calif. and Rusty Scupper in Baltimore, among others.
Krebs traced the Select Restaurant fraud to an intrusion in its point-of-sale (POS) vendor, 24 x 7 Hospitality Technology, a West Chicago company handling card transactions at thousands of hotels and restaurants. 24 x 7 sent a letter on Feb. 14 to its customers warning them of a "sophisticated network intrusion through a remote access application." The letter implied that criminals had guessed or phished a password that was used for 24 x 7's remote access to POS systems at customer locations going back to October 2016.