[BreachExchange] Burgerville reports major credit card breach

Destry Winant destry at riskbasedsecurity.com
Wed Oct 3 20:27:01 EDT 2018


Burgerville says thousands of customers' credit and debit card
information may have been compromised during a cyberattack it learned
of in late August.

The Vancouver-based fast-food chain says anyone who used plastic at
its restaurants between September 2017 through last week should
carefully watch their card statements for unauthorized charges. In
addition, the chain recommends customers obtain a copy of their credit
report to look for unauthorized information and consider freezing
their credit.

"In an abundance of caution, Burgerville recommends that anyone who
visited their restaurants between September 2017 and September 2018
should consider that their data may have been compromised," the
company said in a written statement. Burgerville has 47 restaurants in
Oregon and southwest Washington.

Burgerville said it learned of the breach from the FBI late in August.
The chain didn't acknowledge the issue until Wednesday. The company
said its first priority was to contain the breach and close off
cybercriminals' access to its systems.

The Burgerville attack was conducted by an international cybercrime
group based in Eastern Europe, according to the company. The U.S.
Department of Justice said in August that the group, called "FIN7",
attacked more than 100 American companies in 47 states.

Authorities said the attack primarily affected companies in the
restaurant, gaming and hospitality industries, including Chipotle
Mexican Grill, Chili's, Arby's, Red Robin and Jason's Deli.

Three Ukrainians have been indicted in connection with the attacks.

Burgerville said it doesn't know how many of its customers were
affected. It provided a phone number, 877-322-8228, that anyone can
call to get a free copy of their credit report. The same information
is available online at annualcreditreport.com.

Prosecutors say the FIN7 cybercriminals launched attacks on businesses
in the U.S. and abroad with emails designed to appear legitimate to a
company's employees, following up with additional emails and phone
calls to fool recipients into thinking the messages were authentic.

Attackers stole millions of credit and debit card numbers, according
to authorities, and then sold them. Burgerville said there is no
evidence the thieves stole other personal information.

The company said it first learned of the breach on Aug. 22 and
initially believed it was "a brief intrusion that no longer existed."
The company's investigation discovered on Sept. 29 that the breach
remained active, so Burgerville began steps to neutralize it.

"The operation had to be kept confidential until it was completed in
order to prevent the hackers from creating additional covert pathways
into the company's network," Burgerville said in a written statement.
It said it completed the operation to seal the breach on Sunday.

A Portland attorney, Michael Fuller, immediately filed a complaint in
Multnomah County Circuit Court seeking class-action status for
Burgerville customers potentially impacted by the breach.

Wednesday's complaint alleges Burgerville failed to adequately protect
credit card information and seeks "fair compensation" for any losses.
It says Burgerville could have limited economic harm by promptly
notifying customers once it learned of the breach.

More information about the BreachExchange mailing list