Seattle Fraud Spree: Case GrowsForeign Hacker Suspected in Restaurant Data Breach
The attack happened in late October, and the forensic trail leads overseas, officials say. Card data was stolen on Oct. 22 in a one-day attack by what authorities say for now was one hacker. The Seattle Capitol Hill area restaurant, Broadway Grill, appears to be ground zero for the attack. Secret Service agent Bob Kierstead of the Seattle Electronic Crimes Task Force says the overseas hacker who was able to access the network through Broadway Grill's system appears to have been able to leapfrog from the restaurant's access to a critical server in the transaction process, where account information was available.
The scheme appears to involve the sale or distribution of the stolen account information to numerous individuals across the country, as well as in foreign countries. Those individuals then used the information to make purchases against the consumer accounts. Authorities early in the investigation speculated that an organized crime group was involved.
Broadway Grill says it began cooperating with authorities immediately after the hack was discovered. It has since beefed up security around its payment network computer system.
The Secret Service says it is close to identifying the alleged perpetrator, but declines to name the country of origin, saying that revelation could compromise the agency's investigation. The agency says it is looking into possible links between the Capitol Hill fraud spree and another recent cybercrime wave in an unidentified northwest community.
Local institutions have aided the investigation, including the fraud response team at Boeing Employees Credit Union, an $8.6 billion institution based in Washington. According to John Snodgrass, security risk manager at BECU, the fraudulent charges on their members' cards were spotted immediately by the credit union's fraud-monitoring system, and information was quickly turned over to authorities to help pinpoint where the criminals were collecting card data.
Integrated Security Standards
Tom Wills, a fraud analyst with Javelin Strategy & Research, says the Capitol Hill hack reveals weaknesses posed by non-integrated systems in the payments chain.
Global standards that bring together all players in the payments supply chain -- including card companies, financial institutions, processors and merchants -- are the only ways the industry can ensure security, he says. Even global adoption of the EMV chip standard would not have prevented hackers from collecting card numbers in this type of attack, Wills says.
"They are exploiting what I call the 'silo syndrome' -- the fact that different parts of the payment system are secured as individual components, but there's no integrated security across the system," he says. "If the POS system can be easily broken into, it leaves a security hole for hackers to exploit, and this is just what happened in the Seattle incident."
Wills says the only effective way to secure the payments chain will come from the development of global standards for end-to-end encryption and security. "These standards would have to be jointly owned and be realistic, in terms of economic cost and benefit to each of the parties," he says. "This isn't anywhere on the horizon -- it's not PCI -- and even if it was, it would be a slow, expensive and highly political process."
Managing Editor Tracy Kitten contributed to this report.