Another sizeable payment card data breach has been discovered at a U.S. restaurant chain.
In the latest example, several high-end eateries run by Select Restaurants in Cleveland were the victims of fraudulent cards used by customers at its restaurants, according to a report posted Thursday on KrebsOnSecurity, a reliable site written by reporter Brian Krebs. Krebs said he learned about the case from anti-fraud teams at multiple financial institutions investigating "a great deal of fraud on cards used at a handful of high-end restaurants around the country."
A month ago, hundreds of Arby's restaurants were affected by a breach in their payment systems, Krebs reported. In January, Popeyes restaurants acknowledged it was also hit last summer, in a similar breach. Wendy's reported being hit last summer as well.
Fraud from stolen credit and debit cards seems to be happening regularly at U.S. restaurants where older magnetic stripe cards are still sometimes in use instead of more secure chip cards. But even PIN and chip cards can't be defended against the kind of internal POS breaches that occurred at Select Restaurants, said Gartner analyst Avivah Litan.
"Chip and PIN won't do anything to stop breaches -- the data can just as easily be stolen," she said Friday. Chip and PIN will, however, thwart the reuse of card data when a thief tries to buy something at another physical location, she said.
Card breaches at retailers and restaurants continue happening in the U.S., Litan said. "The cases have only gotten drowned out in the news" because of election hacking and "other cyber espionage," she said. "It turns out that some of the same hackers who break into restaurants to steal credit cards are also conducting cyberespionage and other political activities on behalf of the Russian government. This was documented in the recent Yahoo breach arrests."
The extent of the fraud, in dollars or total victims, at Select Restaurants was not disclosed. Select Restaurants did not respond to a request for comment. The company owns eateries including Boston's Top of the Hub, Parker's Lighthouse in Long Beach, Calif. and Rusty Scupper in Baltimore, among others.
Krebs traced the Select Restaurant fraud to an intrusion in its point-of-sale (POS) vendor, 24 x 7 Hospitality Technology, a West Chicago company handling card transactions at thousands of hotels and restaurants. 24 x 7 sent a letter on Feb. 14 to its customers warning them of a "sophisticated network intrusion through a remote access application." The letter implied that criminals had guessed or phished a password that was used for 24 x 7's remote access to POS systems at customer locations going back to October 2016.
Victims apparently had primarily used magnetic stripe credit and debit cards at payment terminals at the affected restaurants. Mag-stripe cards rely on an older and less secure payment technology than do the newer chip cards. U.S. banks and card networks like Visa, MasterCard and other card companies have been giving customers new cards embedded with smart chips in recent years, although the U.S. is one of the last countries to convert to chip card technology.
Banks regularly report progress to replace magstripe cards with chip cards since a liability deadline to make the conversion passed in October 2015. Many merchants, especially smaller retailers and restaurants, have complained about the cost and complexity of converting point of sales terminals to read chip cards, which has slowed the U.S. rollout.
Complicating matters, nearly all chip cards also have magnetic stripes containing card data, which are still vulnerable to hackers who can strip the data with special counterfeit readers. Even PIN and chip is vulnerable to internal breaches like those at Select Restaurants.
The best defense for restaurants is providing point-to-point encryption of data, Litan said. She also said retailers and restaurants shouldn't store sensitive data.
One security industry expert also called for bolstering payments security, including encryption. "To better secure the retail industry, the migration from swipe cards to PIN and chip and further to point to point encrypted (P2PE) solutions must be a priority," said John Christly, global chief information security officer at Netsurion, which provides managed security services for businesses.
Unfortunately, P2PE solutions are not widely available and can be costly if a small business has just paid to upgrade to chip payment terminals, Christly said.
A Visa spokeswoman said she could not comment on the recent restaurant breaches, but said instances of data breaches reinforce the need for business to protect the security and privacy of customer financial information. Visa also urges customers to regularly monitor their accounts for fraudulent charges and notify their bank of unusual activity.
Randy Vanderhoof, director of the U.S. Payments Forum, urged small retailers to enable chip card payments as "quickly as possible. The longer it takes the hospitality and restaurant industry [to support chip cards] the more vulnerable they remain."
"The fraudsters know where the weaknesses are and can move quickly," Vanderhoof added.