Wholesaler's POS Network Hacked Again

Restaurant Supplier Breach Exposes Payment Cards

By , December 28, 2012.
Wholesaler's POS Network Hacked Again

Restaurant Depot, a College Point, N.Y.-based wholesale supplier, has notified officials in several states of a point-of-sale network breach that exposed a yet-to-be-determined number of customer debit and credit cards.

See Also: Actionable Threat Intelligence: From Theory to Practice

The company experienced a similar breach in 2011 that affected more than 200,000 individuals. Company officials say they took steps to enhance point-of-sale security after that incident.

Jetro Holdings, Restaurant Depot's parent company, discovered the breach Dec. 4 after several customers complained that they noticed fraudulent activity on their payment cards shortly after using them for purchases at the wholesaler, according to a Dec. 19 breach notification to affected cardholders.

"At this point, all we know is that our system was hacked and that only card numbers were exposed," Richard Kirschner, president of Restaurant Depot and chief operating officer of Jetro Holdings, tells BankInfoSecurity. "It was not an individual POS hack, but we know our system was hacked. Each store has a unique password for network access, so we're still trying to figure out how they got in. It will take time; this was very sophisticated."

In its notices to customers and states' attorneys general, including one for California, Jetro Holdings points out that data security and computer forensics firm Trustwave initiated an investigation Dec. 6 and determined that Restaurant Depot's network was breached Nov. 7. Jetro Holdings says it stopped the breach on Dec. 5, but the company did not provide details about how that was accomplished.

"We very recently determined that unauthorized individuals stole credit and debit card information from the card processing system we use in some of our stores," the company states in the notice. "We additionally immediately notified all the major card brands and provided information about potentially compromised accounts. The card brands will, in turn, notify card-issuing financial institutions, who can take steps to protect cardholders through enhanced fraud monitoring or by reissuing cards."

Second Breach

In late 2011, Jetro Holdings reported a similar POS attack that affected its Restaurant Depot and Jetro Cash & Carry stores. A forensics investigation by Trustwave found that hackers from Russia had infiltrated the payments processing system and injected malware.

Stored card details contained on magnetic stripes captured during purchases were compromised in the 2011 incident. That data included cardholder names, card numbers, expiration dates and card verification codes.

"Trustwave and our Information technology staff reviewed the safeguards we use to protect card information and made appropriate changes to improve the security measures we use to protect card information," according to a 2011 breach notice.

Since the 2011 breach, Jetro Holdings says it has taken additional steps to enhance POS security and ensure compliance with the Payment Card Industry Data Security Standard.

"Over the past year we have expended considerable resources and costs upgrading the credit card processing systems at each of our locations to ensure they met those security mandates," the company says in its Dec. 19 statement about the latest breach.

Kirschner says the company hired Trustwave after the first breach to monitor its network, but that ongoing monitoring failed to detect the most recent attack.

Shirley Inscoe, a financial fraud expert and analyst for consultancy Aite Group, says it's likely Restaurant Depot, despite its belief that it was PCI compliant at the time of the breach, had more than one security gap.

"Investigations of other breaches in the past have disclosed gaps in compliance, and I strongly suspect this one will as well," Inscoe says. "Details are inadequate to speculate what led to the breach at this time. ... Given that this is the second breach of Jetro in two consecutive years, I predict fines [from the card brands] will be forthcoming. Card issuers will likely be looking for compensation to cover their costs as well if they have many cards cancelled as a result of this data breach."

Advice to Customers

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Administration Modifies Data Collection Rules

The Obama administration has taken new, but modest steps to limit the ability of intelligence...

Latest Tweets and Mentions

ARTICLE Administration Modifies Data Collection Rules

The Obama administration has taken new, but modest steps to limit the ability of intelligence...

The ISMG Network