[BreachExchange] One Day, Three Credit Card Data Breach Notifications

Destry Winant destry at riskbasedsecurity.com
Mon Dec 23 10:17:51 EST 2019


On the same day this week, two restaurants and a convenience store,
all with locations across the U.S., disclosed security breach
incidents that may have enabled attackers to steal customer payment
card data.

In all three cases, malware designed to collect magnetic stripe data
was discovered on payment processing servers for card transactions.

Wawa store, food market, coffee shop, gas pump

The most prominent on this shortlist is Wawa convenience store chain,
with all its locations potentially impacted starting March 4, 2019.

Current investigation results show that exposed payment card (debit
and credit) information includes numbers, expiration dates, and
cardholder names.

In the data breach notification on Thursday, Wawa informs that
personal identification numbers (PIN) needed for approving
transactions, typically above a specific limit, were not impacted.
CVVs (card validation value) used for card-not-present purchases
(online shopping) also remained safe.

Wawa's security team found the malicious software on the payment
processing servers on December 10 and was able to contain it by
December 12. The investigation determined that the "malware began
running at different points in time after March 4, 2019."

Chris Gheysens, Wawa CEO, says that none of the impacted customers
will support the fraudulent charges related to the incident. Free
identity protection and credit monitoring services are provided free
of charge Wawa customers whose information may have been involved.

Islands restaurants

The number of Islands restaurants impacted by the PoS malware incident
disclosed on the same day as Wawa is 60. Most of them are in
California, other locations being in Arizona, Hawaii, and Nevada.

The restaurant was alerted of a potential payment card issue and an
investigation revealed that there was a reason for concern.

Not all devices in all restaurants were compromised. A list of Islands
affected locations  is accessible from the breach disclosure page.

The PoS malware campaign began on February 13 and kept at it until
September 27, compromising locations on various dates. It searched for
data on the magnetic stripe that contained the cardholder name, card
number, expiration date, and internal verification code.

Islands restaurants' notification states that malware is no longer
present on payment card processing devices at its locations.

Champagne French Bakery Cafe

The restaurant announced the data breach on the same day as Wawa but
details are different. Following an alert regarding PoS malware,
Champagne initiated an investigation with the help of a computer
forensics company.

The inspection revealed that PoS malware had been installed starting
February 13 at various locations. Starting this date and continuing
through September 27, "malware was installed on certain point-of-sale
devices in our restaurants that were used for payment card
transactions," reads the notification.

According to the official statement, eight locations were compromised
and at seven of them, card data could not be extracted in some weeks
in March, just like in the case of the Islands compromise.

Similar to the incident affecting Islands restaurants, the following
data from the magnetic stripe was exposed: cardholder name, card
number, expiration date, and internal verification code. Also, the
malware did not always identify the owner's name in the payment card
info, something that Islands also mentioned in their disclosure.

Neither Champagne nor Islands provide free identity protection and
credit monitoring services but inform their customers once a year they
can request a free copy of their credit report.

More information about the BreachExchange mailing list