Earl Enterprise – the owner behind a slew of US restaurant chains – confirmed on Friday that one or more hackers had installed credit card slurping malware on point-of-sale (PoS) systems at a half dozen of its restaurant brands.
The company said that potentially affected restaurants include its brands Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology and Tequila Taqueria. It’s set up a look-up tool at this site that lets you search for affected locations by city, state and brand.
The company said that the malware was designed to capture payment card data, which may have included credit and debit card numbers, expiration dates and, in some cases, cardholder names.
The dates of potentially affected transactions vary by location, though overall, customers who used their payment cards at the potentially affected locations between 23 May 2018 and 18 March 2019 might have been affected. The malware didn’t affect orders paid for online through third-party applications or platforms.
Earl Enterprise said that the breach has now been contained and that it’s working with two cybersecurity firms on an internal investigation, as well as with federal law enforcement. It’s working “diligently” with security experts on further remediation, it said, and plans to closely monitor its systems and take additional security measures “to help prevent something like this from happening again in the future.”
Earl Enterprise first got a heads-up about the PoS malware back in February, when security journalist Brian Krebs contacted the company to let it know that he’d found a big cache of credit and debit card numbers belonging to the company’s customers that were being sold on the Dark Web.
Krebs asked Earl Enterprises how many customers in total may have been affected by the 10-month breach, but it didn’t respond. Krebs himself reports that he found about 2.15 million payment card details in a batch of stolen cards that an underground shop was calling the “Davinci Breach.”
Krebs had reached out to the executive team at Buca di Beppo in late February after determining that most of the restaurant’s locations were likely involved in a data breach that first turned up on Joker’s Stash: an underground carding shop that regularly sells batches of freshly ripped-off payment card details.
After carders buy those payment card details, they can then put all the legitimate card details onto the fresh magnetic stripe of a blank card, thereby cloning the card and using the counterfeit card to buy high-ticket items.
That’s actually the nature of fresh charges against Max Ray Vision, a computer security consultant turned hacker who was serving what was a record-setting, 13-year prison sentence for illegal hacking when he was sent away in 2010 but who racked up even more charges from behind bars. In December, the hacker, known as the “Iceman”, was charged with allegedly using a contraband cellphone to loot debit card accounts and to then fund a drone delivery of even more contraband dropped into a Louisiana prison yard.
Check your statements!
Earl Enterprise is urging customers to check their credit and debit card statements with an eye out for fraudulent charges. You’re not responsible for fraudulent charges, but card issuers aren’t necessarily going to tug your sleeve when one gets made on your account. That’s why it’s a good habit to regularly monitor statements for suspicious activity.
If you see something wonky, don’t hesitate to report it to the card issuer. We the people are typically not held responsible for fraudulent activity – reported in a timely fashion. Don’t delay, if you don’t want to get stuck paying for somebody else’s shopping spree.
KeithF
I thought nearly all the major US business had migrated to Chip + PIN, and that is not vulnerable to this sort of attack? My other thought is this vendor STILL is not accepting chip+PIN and if so, aren’t they responsible for any financial damages, not the credit card company?
Paul Ducklin
Chip + Sign in the US, as far as I know (which is essentially just Chip, but still better than Magstripe).
What I have heard from American chums is that [a] your liability is reduced by installing Chip readers, rather than reduced for transactions that use them [b] the Chip readers are backwards compatible [c] swipes still work and can be faster. In other words, you can have your cake and the crooks can eat it, too.
KeithF
My experience in the western US has been if I “swipe” the stripe on a reader that also has chip capabilities (and my card also has the chip) then my transaction is declined immediately. This forces me to use the chip if that function is available. This might be enforced by the retailer, the processor or the credit card company, I am not certain who. Additionally in the US I have not yet been asked to sign when using the chip — I have always been required to use the PIN except for small incidental payments (some parking meters and such).
Dow
That has been my experience as well. Since the Chip readers were rolled out and the majority of the bugs worked out of the system, the vast majority of my transactions have been chip + pin. With that said, the QOS is not consistent from store to store. Some are very quick, while others are abysmally slow to process.
Mahhn
For mag stripe POS systems, the $100 (or less) solution is to have them behind a simple firewall that restricts traffic to approved vendor IP addresses. There is no reason a POS should have access beyond that.
Sandman
Had my AMEX (chipless at the time) cloned at the Orlando Planet Hollywood, many many years ago. I thought it was some employee. I now see it might have been malware installed at their POS. If so, it has been “sucking” on chipless cards for many, many years…
AzaL
If that is so, perhaps someone gets to re-install the malware after the POS has been swept or it has persistent capabilities.