Penn Station Inc. has confirmed that 43 of its 235 U.S. restaurants may have been affected by a payments breach that exposed credit and debit details.
In a June 1 statement and list of frequently asked questions posted on Penn Station's corporate website, the restaurant chain identifies franchise locations in Illinois, Indiana, Kentucky, West Virginia, Michigan, Missouri, Ohio, Pennsylvania and Tennessee that may have been affected by the attack.
Details about the breach are vague; exactly how the card details were exposed is unclear.
Penn Station President Craig Dunaway says Penn Station learned of the breach after a customer called to report that his card had been compromised shortly after dining at one of Penn Station's franchised locations. From there, Dunaway says Penn Station contacted its processor, Heartland Payment Systems.
"We've been working with Heartland to address the issue," Dunaway says. "The key is to work with the Secret Service and get down to the bottom of what happened."
Dunaway says he does not know the nature of the breach, and could not say if the card compromises resulted from tampered with POS devices or a network hack.
But industry experts suggest the breach is likely linked to either a processing hack or a point-of-sale scheme similar to the one discovered by the Michaels crafts store chain in May 2011.
Penn Station suspects the compromise dates back to March, based on a preliminary investigation, according to its FAQ posting. Debit and credit cards used during March and April may have been exposed.
"Upon learning of the possibility of unauthorized access to credit and debit card information, all of the individual owners of the Penn Station restaurants changed the method for processing credit and debit card transactions," the FAQ states.
The investigation is ongoing, and Penn Station says it expects to update its list of affected locations if more are identified.
Penn Station says only account holder names and card numbers were breached. Whether PINs or card verification codes were part of that information has not been clarified.
What Type of Scheme?
Experts can only speculate, but Gartner analyst Avivah Litan says the scenario sounds like a POS-device swapping scheme - a scam that involves fraudsters physically swapping or trading a merchant's POS device and/or PIN pad with a device manipulated to skim card and PIN details.
"It sounds a lot like Michaels," Litan says. "Maybe they only hit 20 percent of the locations because Penn Station caught it early."
John Buzzard, who monitors card fraud for FICO's Card Alert Service, also says the breach sounds like a POS-device attack of some sort, but he says it's too early to determine how those devices might have been targeted.
"It's possible that a simple default admin password was never changed for the POS system at the affected locations," he says.
Jason Malo, a research director at CEB TowerGroup who covers security and fraud, says the breach seems localized, and organized. "I don't think it's not a network breach," he says. "By listing the stores that were affected, there's a point-of-sale aspect to it, and that automatically makes you think there's something that happened with the devices."
Because only some locations in certain geographic markets were hit, Malo says the breach likely involved an organized effort coordinated among numerous players.
But Aite analyst Julie McNelley believes the compromise is more likely linked to a network hack, referencing Penn Station's note about updating its payments processing procedures.
"This just further highlights how vulnerable merchants are and highlights the importance of upgrading to more current data security standards, such as tokenization and end-to-end encryption," she says.
The Point of Compromise
Most breaches at merchant locations are reported by card-issuing banks to Visa and MasterCard, Litan says. After a number of fraud reports come in to the card brands, they trace the fraud back to identify the point of compromise.
But Litan says fraudsters have learned to expand their windows of compromise by only using cards from one or two card issuers at a time. "When only one or two banks report fraud, it takes longer for Visa and MasterCard to link the fraud to a larger compromise," she says.
The Penn Station breach appears to have been detected relatively quickly. In the Michaels case, the exposure was traced back to December 2010, more than five months before the breach was discovered. In all, 90 individual PIN pads at stores in 20 states were identified as being sources of the Michaels breach.