Lucene search

K
threatpostBrian DonohueTHREATPOST:3EAB224A34018B9EFE8BCA14F68C8FB6
HistoryDec 31, 2014 - 11:18 a.m.

Payment Cards Exposed in Possible Chik-fil-A Data Breach

2014-12-3111:18:09
Brian Donohue
threatpost.com
6

It’s been the year of the data breach, so it only makes sense that reports alleging a data breach at the popular fast food chain, Chik-fil-A, would emerge in the final days of 2014.

Late yesterday security journalist Brian Krebs reported that an anonymous source at an unnamed financial institution told him that some 9,000 of their customers’ payment cards landed on a fraud alert list. The only common point-of-sale purchases among these cards were at Chik-fil-A. The source went on to tell Krebs that the bank in question had fewer than 9,000 payment cards impacted by last year’s massive Target breach, suggesting that the alleged Chik-fil-A compromise could be a big one.

Krebs reported hearing murmurs about a possible breach at Chik-fil-A back in November, but that evidence was scant. However, around Christmas, a major credit card association issued an alert regarding a breach at an unnamed retailer that occurred between Dec. 2, 2013 and Sept. 30, 2014. Now Krebs claims that several institutions have observed fraudulent activities that can be traced back to the chicken-peddling fast food franchise.

In a statement issued to KrebsonSecurity.com, a Chik-fil-A spokesperson neither confirmed nor denied the breach, but said it has received reports from banks warning of a breach and is investigating the matter. The statement went on to say that if there was indeed a breach of payment data, that cardholders would not be responsible for paying for fraudulent charges and that the company would offer those affected free identity protection services.

> Payment card information potentially exposed in possible Chik-fil-A data breach
>
> Tweet

If it comes to light that Chik-fil-A has suffered a breach, it stands to reason that the fast food chain’s point-of-sale infrastructure was likely infected with some type of RAM-scraping or Backoff-like malware. Such was the case for Target, Home Depot and many of the scores of other breached retailers this year.

So bleak is the state of point-of-sale security that U.S. Secret Service issued an advisory on the matter earlier this year. The 2014 edition of Verizon’s Data Breach Investigation Report included a unflattering analysis of the state of point-of-sale security. In all, the common consensus is that points-of-sale are poorly secured and facing ever-increasingly-sophisticated attacks.

*Image courtesy of Wikicommons user Mav, licensed under Creative Commons