Malware Involved in Car Wash BreachCredit Card Data Exposed at Connecticut Locations
See Also: The Power and Scale of XDR
The car wash chain confirmed on June 26 that a breach had impacted the company's systems from Feb. 28 to May 16 and compromised 1,400 customers' credit card information. Although specific details of the compromise are unclear, Splash Car Wash says that "there was [an] ... external breach and we quickly eliminated the malware causing the compromise."
"We express our utmost regret to those affected by this unfortunate and deliberate criminal act," says Mark Curtis, founder and CEO of the company. "The protection and privacy of confidential patron information is a matter we take with extreme seriousness."
More to Come?
The breach at Splash Car Wash may be the sign of more incidents to come, says John Buzzard of FICO's Card Alert Service. "We may learn that this merchant wasn't the only one affected," he says. "I speak with lots of financial institutions each day, and the subject of car wash breaches in various parts of the U.S. has been coming up more frequently in casual conversation."
Specialty merchants, like car washes, may not pay much attention to the security features of the POS software they select, Buzzard says. "Factors like the latest in access points, encryption and password safety may be secondary thoughts to them," Buzzard says. "This can open up the door to greater fraud risk."
Yet the compromise of one car wash chain does not constitute a trend, says Al Pascual, fraud and security analyst at Javelin Strategy and Research. "These breaches are typically crimes of opportunity, and businesses big and small should be cognizant of the fact that if they store or transmit card data, then they are potential targets," he says.
After discovering the compromise, the car wash chain began communicating with banking institutions and federal investigators, in addition to launching its own investigation. So far, 1,400 patrons at its Connecticut locations in Fairfield, Cos Cob, Shelton, Greenwich, Bridgeport and West Haven have had their card information exposed, the chain confirms.
Splash Car Wash has replaced credit card systems at all 16 of its locations in Connecticut and New York with credit card readers "verified as safe and provided by banking institutions," Curtis says.
Since the notification mentions malware, it's reasonable to assume the cause of the breach was the compromise of the car wash chain's point-of-sale systems, Pascual of Javelin says. "The fact that readers were replaced would also lead me to believe that they are attempting to avoid any potential repeat of the issue by separating the capture and transmission of card data from the POS systems completely."
Curtis says the car wash chain is cooperating with the U.S. Secret Service and local law enforcement as part of a larger ongoing federal investigation. "Due to the sensitivity of the investigation, we do not know and are unable to provide any further information regarding the criminal act, but will maintain open communication as information becomes available."
The company did not immediately respond to a request for additional information, including whether impacted customers would receive free credit monitoring services.