According to a number of U.S. financial institutions, several sources within the industry say they have traced a pattern of credit card fraud back to a number of cards used at select Chick-fil-A locations throughout the nation. Chick-fil-A spokespeople told security expert, Brian Krebs, they have received similar reports and are currently working with security firms and federal officials to investigate the alleged breach.
Late Thursday, security expert Brian Krebs was told by anonymous insiders within the banking industry that some 9,000 payment cards were believed to have been stolen in what is believed to be a Chick-fil-A data breach. Reports date back to November when Krebs was initially informed that the restaurant chain may had been suffering a breach, but reports were spotty at best. Just days before Christmas one major credit card provider issued alerts to several large banking institutions about a breach of an unnamed retailer beginning December 2, 2013 ending September 30, 2014.
One institution that received the alert informed Krebs that nearly 9,000 payment cards were listed in the alert alone, and that the chains point-of-sale devices were believed to be compromised.
Financial institutions said they identified a number of Chick-fil-A locations across the nation to have been impacted, but a majority of the fraud came from locations in Georgia, Maryland, Pennsylvania, Texas, and Virginia.
Krebs contacted Chick-fil-A for a comment regarding the breach, and was met a ready-to-email statement:
“Chick-fil-A recently received reports of potential unusual activity involving payment cards used at a few of our restaurants. We take our obligation to protect customer information seriously, and we are working with leading IT security firms, law enforcement and our payment industry contacts to determine all of the facts.”
“We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so. If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts — any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card. If our customers are impacted, we will arrange for free identity protection services, including credit monitoring.”
Atlanta Georgia-based company is currently investigating the possible breach, and if confirmed, any number of of Chick-fil-A’s 1,850 locations spread throughout 41 states could be affected.
Krebs believes the breach will only affect a small number of the retailers locations as common with other breaches. The reasoning behind the speculation would be franchise owners and management who outsourced their point-of-sale devices to third party vendors. The outsourcing of the point-of-sale devices is what left Dairy Queen and Jimmy Johns with a data breach on their hands.
As read above in Chick-fil-A’s above statement regarding the matter, if the payment breach occurred from their company, affected customers will be provided with free credit monitoring services and not liable for any fraudulent charges made with affected cards.
As it comes to light that Chick-fil-A has suffered a data breach, its safe to assume the fast food chain’s point-of-sale devices were hit with some form of RAM-scraping or Backoff-POS malware. Such types of malware were the culprit for Target, Home Depot, P.F. Changs among numerous others that had cybercriminals knee deep in credit card information.
As 2014 was the year of the breach, it left many companies devastated and out of millions of dollars in insurance payouts, credit monitoring services for affected customers and investigation costs. The United States Secret Service issued an advisory earlier this year regarding point-of-sale infrastructures becoming a high risk device and target for criminals.
All-in-All its becoming common that point-of-sale devices are poorly secured and are facing the wrath from sophisticated attacks.