Retail Breach Hits Hawaii RestaurantsMalware Infects Network, Exposes Card Data
Roy's Holdings Inc., which owns and manages six Roy's restaurants in Hawaii, on July 5 confirmed that the compromise of one employee's desktop PC may have exposed debit and credit card information related to transactions conducted at five of its locations Feb. 1-25.
Roy's did not estimate the number of cards that may have been affected by the breach.
Merchant breaches are a big fraud worry for card issuers. Preliminary results from the 2013 Faces of Fraud Survey show that banks and credit unions blame merchant breaches, often linked to malware attacks, and card-not-present compromises for the majority of the card-related fraud losses they suffered in the last year.
But some experts say the details the restaurant chain has released so far suggest forensics investigations into retail breaches are improving.
How it Happened
Financial fraud expert Avivah Litan, an analyst with the consultancy Gartner, says investigators seem to have a better understanding of exactly how the Roy's point-of-sale network was infiltrated, relative to other recent investigations of retail malware attacks, such as those that targeted convenience story chain MAPCO Express and grocery chain Schnuck Markets Inc..
"Here the authorities are being clear that the malware got into the system via an employee desktop," Litan says. "I haven't seen that much clarity around attack vectors in other similar breaches in the past, and that's a good thing. It means that the investigators are getting more precise in identifying the footprint of the attack."
The attack on Roy's also could prove fraudsters are honing attacks to target higher-value cardholders, Litan says.
"The fraudsters went after an upscale restaurant chain, which is a departure from most of what I've seen in the past, e.g. attacks against fast food chains," Litan says. "This could have been a deliberate move on the part of the fraudsters, as the cardholders that frequent Roy's typically have high credit limits and therefore more valuable card accounts that can be resold on the black market."
But Shirley Inscoe, a financial fraud expert and analyst for consultancy Aite Group, says the details released so far leave some questions unanswered.
"The company did not state the position the corporate employee whose computer was infected holds, which could infer a rifle or targeted approach to potential victims," she says. And the statement does not explain how the desktop PC was infected - such as through a phishing attack, a spoofed website or some other method.
"It is really difficult to draw many conclusions in the absence of such key details," Inscoe adds.
Still, other details suggest Roy's has performed a thorough investigation, she acknowledges.
"What I found so interesting about this data breach is that they were able to specify such precise dates when customers' data may have been leaked and that the breach lasted over such a brief period of time," Inscoe says. "Obviously, if the breach had continued undetected for many more months, many more consumers could have been impacted. Due to those two considerations - specific dates and short period of time prior to discovery - it seems the chain is really doing something right, in spite of the fact that this data breach occurred."
Type of Malware
The statement made by Roy's does not describe the type of malware suspected in the attack. But Andrey Komarov, head of international projects for global cyberintelligence firm Group-IB, says the timeline suggests BlackPOS or Alina, both retail Trojans, may have been used.
"According to our information, the dates are very close to the timeframe of BlackPOS, which has been spreading across the world from different hands," he says.
Komarov also notes that during the same time period, numerous underground gangs used Alina to target retailers in the United States. Hawaii, however, has not yet been identified as being one of the states that was affected.
Roy's did not respond to BankInfoSecurity's request for additional comment. But the company's release notes that Roy's hired several independent security and forensics investigators to analyze the malware attack.
"[The company] has taken a number of measures to strengthen the security of Roy's software and servers," Roy's notes.
The restaurant chain says it worked with legal and security vulnerability experts to assist with the investigation and implement appropriate safeguards after the breach.
"Roy's encourages its patrons to protect against possible identity theft or other financial loss by reviewing account statements for any unusual activity, notifying credit card companies of this notice and monitoring credit reports," the company says.
The card brands have been notified, the U.S. Secret Service continues to investigate the breach, Roy's says.