Chick-fil-A Investigating Breach Reports

Restaurant Chain Working with Law Enforcement
Chick-fil-A Investigating Breach Reports

Atlanta-based fast-food chain Chick-fil-A says it is working with law enforcement and a leading IT security firm to investigate whether its point-of-sale network has been breached.

See Also: How to Scale Your Vendor Risk Management Program

In a Dec. 30 statement, which Chick fil-A posted on its website Dec. 31, the chain says it has recently received reports of potential unusual activity involving payment cards used at a few of its restaurants.

"We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so," Chick-fil-A states. "If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts - any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card. If our customers are impacted, we will arrange for free identity protection services, including credit monitoring."

Suspicious Activity

The news comes just one week after some card issuers and a security expert told Information Security Media Group they suspected a common link between suspicious activity and payment cards recently used at some Chick-fil-A locations.

One security source, who asked not to be named, told ISMG on Dec. 22 that MasterCard had issued a fraud alert on Dec. 19 about a merchant that may have been breached sometime between December 2013 and September of this year. Many issuers suspected the merchant to be Chick-fil-A or its payments processor, Charge Anywhere, which in early December confirmed a breach of its network linked to malware.

Neither Chick-fil-A nor MasterCard would comment about that alert, but the source who spoke with ISMG said the alleged compromise of Chick-fil-A appeared to be sporadic. One card issuer in the Northeast reportedly had more than 8,000 cards impacted, while other issuers had fewer than 10 cards affected, the source said.

"It could be a segment or set of franchises, because the number of compromised cards they received was pretty low and they would typically receive a lot more cards by now," the source told ISMG on Dec. 23. "It's really a wild card for now."

One executive with a banking institution based in the Southeast, who also asked not to be named, says considerable fraud linked to Chick-fil-A first surfaced over the summer. But this executive says the fraud at Chick-fil-A is likely linked to a breach of the chain's processor, Charge Anywhere, not a POS attack targeted solely at the fast-food chain.

"I have reviewed the list from MasterCard on the processor breach and it does include Chick-fil-A and Dairy Queen, plus numerous other merchants," the executive says. "One of the merchants is a local fruit market that we have suspected since 2007, but were never able to prove. This tells me that this was a breach at the processor, Charge Anywhere, and probably goes back even further than they are saying. They have indicated 2009, but I suspect at least 2007. It is really difficult to pinpoint a common point of compromise when a processor is involved, but this list solves many old unsolved cases for us."

In October, Dairy Queen confirmed a breach of its POS network that affected 395 of its 4,500 franchised U.S. locations.

Charge Anywhere confirmed earlier this month that its network had been compromised by malware, but the company reported that the breach only dated back to 2009.

On Dec. 30, a Charge Anywhere spokesman told ISMG: "We haven't got much information about the investigation and the status of that investigation right now."


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network