Restaurant Data Breach Hits 10 States

Zaxby's Says Card Data Possibly Exposed at 108 Sites

By , January 17, 2013.
Restaurant Data Breach Hits 10 States

The Zaxby's restaurant chain has notified federal authorities of a computer system and point-of-sale breach that has so far affected 108 locations in Florida, Kentucky, Georgia, South Carolina, Alabama, Mississippi, Tennessee, North Carolina, Virginia and Arkansas.

See Also: Cloud Infrastructure: Same Security Needs, Dynamic New Environment

The source of the attacks was not disclosed in the Jan. 11 breach statement issued by Zaxby's Franchising Inc., but the restaurant chain says compromised computer systems at certain locations were found to have malware and other suspicious files stored locally. Those compromised systems were discovered during an internal forensics investigation the restaurant chain initiated after several of its locations were identified as commons points of purchase for payment cards linked to fraudulent activity by one of the major credit card brands, Zaxby's spokeswoman Debbie Andrews says.

"The files that have been identified as part of our forensic investigation are malware files that appear to be designed to collect and transmit credit and debit card information," she says. "Zaxby's Franchising Inc. is not certain at this point exactly how these files were installed on the systems of the affected restaurants. However, based upon the information that we have at this time, it does not appear that the malware files were spread through a common network."

Andrews says the systems that were breached include a combination of locally managed computer and POS systems.

"Zaxby's Franchising Inc. is requiring each of its licensees to engage an industry leading provider of PCI compliance services to provide enhanced firewalls, system monitoring and PCI compliance services," she says.

Zaxby's has 567 locations in 13 states, and franchises have various payments processors, Andrews explains.

Risk Acknowledged

Zaxby's notes in its Jan. 11 breach notice that no evidence has yet been found to suggest card data was exposed.

Still, the presence of suspicious files poses a risk that both customer names and card numbers could have been inappropriately accessed, the company states.

"Certain licensed locations have identified suspicious files on their systems that may have resulted in unauthorized access to credit and debit card information, or have been identified by credit card processing companies as common points of purchase for some fraudulent activity," Zaxby's says. "Zaxby's Franchising Inc. has notified appropriate law enforcement authorities of the potential criminal activity, which is believed to have originated from external sources."

Malware Likely Attacked Single Location

Gartner analyst Avivah Litan, a fraud expert, says Zaxby's description suggests the restaurant breach stems from a localized malware attack that infected local computers.

"I don't have any first-hand knowledge of this incident, but this definitely sounds like a computer network attack," Litan says. "[It could be] self-propagating malware that was on the hardware of the computers."

Litan says during such an attack, cached files stored locally could have been exposed, proving that even when payments systems and processing equipment is in compliance with the Payment Card Industry Data Security Standard, attackers can exploit other gaps.

"Names are never typically part of anything anyone stores when processing or authenticating [a card payment] transaction," she adds. "That information is not on track 1 or track 2 [of a card's magnetic stripe], and a restaurant wouldn't need to have that information in its POS system."

Two types of attacks can expose card data and/or personally identifiable information about cardholders, Litan says. One is an attack aimed at the POS system's authorization stream; the other is an attack against a retailer's network or computer system, which affects a database that has stored or temporary files containing sensitive information.

"Now the weak link is what they're doing locally, and what they're storing on systems that run parallel to the POS," Litan says. "That's not to say we still don't have holes out there in processing to address; but in this particular case, it sounds like what they were doing locally was the issue."

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE How to Properly Vet Your Cloud Provider

Too often enterprises fail to adequately vet their cloud service providers, which can create...

Latest Tweets and Mentions

ARTICLE How to Properly Vet Your Cloud Provider

Too often enterprises fail to adequately vet their cloud service providers, which can create...

The ISMG Network