Penn Station Card Breach GrowsRestaurant Chain Confirms 80 Locations Targeted in POS Attack
Restaurant chain Penn Station Inc. has upped the number of franchise locations affected by a payments breach to 80, almost double what it originally reported.
The breach, which Penn Station says it's still investigating, is connected to a point-of-sale processing hack that may have exposed credit and debit details, but not PINs, at restaurants in Illinois, Indiana, Kentucky, West Virginia, Michigan, Missouri, Ohio, Pennsylvania, Virginia, North Carolina and Tennessee.
On its list of frequently asked questions, the chain says the exposure was limited to cardholder names and card numbers because Penn Station only accepts signature-based transactions.
But details surrounding exactly what happened remain sketchy.
"We did not learn of the possibility of unauthorized access until late April," the company says in its updated FAQ. "Our first step after learning such information was to change the method for processing credit and debit card transactions. We then hired forensic experts who began working in May to help us determine if unauthorized access did occur and what, if any, customer information may have been accessed or taken."
Penn Station says its investigation into the breach, which is being overseen by its processor, Heartland Payment Systems, and the Secret Service, is ongoing and that results, to date, have been inconclusive.
"The key is to work with the Secret Service and get down to the bottom of what happened," said Penn Station President Craig Dunaway, shortly after the breach was made public June 1.
The restaurant chain initially reported that only 43 of its 238 U.S. restaurants had been hit. Penn Station also said the compromise likely dated back to March, and that debit and credit cards used in March and April at the affected locations were likely exposed.
The investigation is being handled by the Secret Service based in Cincinnati. Law enforcement is not yet revealing details, but one investigator close to the case, who asked not to be named, expects the number of Penn Station locations affected by the breach to continue to grow.
Cardholders Speak Out
Dunaway told BankInfoSecurity that Penn Station learned of the breach from a customer. The patron connected the dots after swapping stories with others who had suffered fraud following dining at a local Penn Station restaurant.
Card issuers have not yet been outspoken about suspected fraud linked to Penn Station, but consumers have.
This week, two cardholders in Indiana contacted BankInfoSecurity to say they suspected their debit cards had been compromised at a Penn Station in Indianapolis. One reported fraudulent transactions appearing June 1 from various merchant locations in Virginia Beach, Va. The other reported fraudulent transactions stemming from attempted purchases in Dublin, Ireland.
Based on what Penn Station has revealed so far, industry experts suggest the breach could be linked to one or both of two possible scenarios - a processing hack, like the one that targeted 100 Subway locations between 2008 and May 2011, or a point-of-sale scheme, similar to the one discovered by the Michaels crafts store chain in May 2011.
In the Michaels breach, card exposure was traced back to December 2010, more than five months before the breach was discovered. In all, 90 individual PIN pads at crafts stores in 20 states were compromised.
Since discovery of the breach, Penn Station says its restaurants have changed the "method" they use for processing credit and debit transactions. That bit of information is telling, says Aite fraud analyst Shirley Inscoe.
"The information shared stated that there was an unauthorized data breach, which makes you assume a hack," she says. "But it also states that there was unauthorized access at some restaurant sites. That makes me wonder if this was an organized ring with mules, planted as servers or cashiers, who were also using skimming devices in some of the restaurants."
John Buzzard, who monitors card fraud for FICO's Card Alert Service, also says the breach sounds like it includes some sort of POS-device attack, but adds that it's really too early to tell.
"It's possible that a simple default admin password was never changed for the POS system at the affected locations," allowing hackers to easily infiltrate the system, Buzzard says.
Inscoe says it's likely fraud linked to the attack occurred before Penn Station discovered the breach. The scope of the incident is probably more widespread, and the attack mechanisms more diverse, than has yet been revealed, she says.
"The comment that they have uncovered evidence that data was breached at some restaurants still leads me to believe this was fairly organized, and skimming may have been one component," she says.