Restaurant Depot, a College Point, N.Y.-based wholesale supplier, has notified officials in several states of a point-of-sale network breach that exposed a yet-to-be-determined number of customer debit and credit cards.
The company experienced a similar breach in 2011 that affected more than 200,000 individuals. Company officials say they took steps to enhance point-of-sale security after that incident.
Jetro Holdings, Restaurant Depot's parent company, discovered the breach Dec. 4 after several customers complained that they noticed fraudulent activity on their payment cards shortly after using them for purchases at the wholesaler, according to a Dec. 19 breach notification to affected cardholders.
"At this point, all we know is that our system was hacked and that only card numbers were exposed," Richard Kirschner, president of Restaurant Depot and chief operating officer of Jetro Holdings, tells BankInfoSecurity. "It was not an individual POS hack, but we know our system was hacked. Each store has a unique password for network access, so we're still trying to figure out how they got in. It will take time; this was very sophisticated."
In its notices to customers and states' attorneys general, including one for California, Jetro Holdings points out that data security and computer forensics firm Trustwave initiated an investigation Dec. 6 and determined that Restaurant Depot's network was breached Nov. 7. Jetro Holdings says it stopped the breach on Dec. 5, but the company did not provide details about how that was accomplished.
"We very recently determined that unauthorized individuals stole credit and debit card information from the card processing system we use in some of our stores," the company states in the notice. "We additionally immediately notified all the major card brands and provided information about potentially compromised accounts. The card brands will, in turn, notify card-issuing financial institutions, who can take steps to protect cardholders through enhanced fraud monitoring or by reissuing cards."
In late 2011, Jetro Holdings reported a similar POS attack that affected its Restaurant Depot and Jetro Cash & Carry stores. A forensics investigation by Trustwave found that hackers from Russia had infiltrated the payments processing system and injected malware.
Stored card details contained on magnetic stripes captured during purchases were compromised in the 2011 incident. That data included cardholder names, card numbers, expiration dates and card verification codes.
"Trustwave and our Information technology staff reviewed the safeguards we use to protect card information and made appropriate changes to improve the security measures we use to protect card information," according to a 2011 breach notice.
Since the 2011 breach, Jetro Holdings says it has taken additional steps to enhance POS security and ensure compliance with the Payment Card Industry Data Security Standard.
"Over the past year we have expended considerable resources and costs upgrading the credit card processing systems at each of our locations to ensure they met those security mandates," the company says in its Dec. 19 statement about the latest breach.
Kirschner says the company hired Trustwave after the first breach to monitor its network, but that ongoing monitoring failed to detect the most recent attack.
Shirley Inscoe, a financial fraud expert and analyst for consultancy Aite Group, says it's likely Restaurant Depot, despite its belief that it was PCI compliant at the time of the breach, had more than one security gap.
"Investigations of other breaches in the past have disclosed gaps in compliance, and I strongly suspect this one will as well," Inscoe says. "Details are inadequate to speculate what led to the breach at this time. ... Given that this is the second breach of Jetro in two consecutive years, I predict fines [from the card brands] will be forthcoming. Card issuers will likely be looking for compensation to cover their costs as well if they have many cards cancelled as a result of this data breach."
Advice to Customers
In its notifications to affected customers, Jetro Holdings is offering free ID theft protection services. It also is recommending that cardholders who shopped at the Restaurant Depot between Nov. 7 and Dec. 5 contact their financial institutions as well as one of the three leading credit reporting bureaus.
The company also is advising affected customers to cancel payment cards used at Restaurant Depot within the breach timeframe. Inscoe says that step is uncommon, since breached retailers rarely recommend such action.
"Typically, the decision as to whether to reissue cards is left to the card issuer," she says. "This places them [card issuers] in an awkward position if they prefer to monitor the card activity instead of just reissuing cards immediately. Since the letter instructs that the customer cancel the card, issuers will most likely see some attrition as a result of this breach."