[BreachExchange] Credit card details stolen from Dickey’s BBQ customers published on dark web forum

Fri Oct 16 10:34:09 EDT 2020

https://siliconangle.com/2020/10/16/credit-card-details-stolen-dickeys-bbq-customers-published-dark-web-forum/

Some 3 million credit card numbers belonging to customers of Dickey’s
Barbecue Restaurants Inc., the largest BBQ franchise in the U.S., are
being offered for sale on the dark web after the company was hacked.

The stolen credit card details were discovered on a dark web carding
site called “Jokers Stash” by security researchers at Gemini Advisory
LLC. The breach, dubbed “BLAZINGSUN” on the forum, is alleged to
included credit card data from 35 U.S. states and some countries
across Europe and Asia.

How the data was stolen is a complete mystery at this point with
Dickey’s BBQ not officially admitting to the hack and theft of data on
their website as of the time of writing. With some sense of irony, the
company’s website includes a California Consumer Privacy Act
disclosure form; under CCPA, it’s required to disclose any incident
that involves the theft of customer data.

Cyberscoop reported that the company has responded in a statement,
saying that “we received a report indicating that a payment card
security incident may have occurred… we are taking this incident very
seriously and immediately initiated our response protocol and an
investigation is underway. We are currently focused on determining the
locations affected and time frames involved.”

“Given the widespread nature of the breach, the exposure may be linked
to a breach of the single central processor, which was leveraged by
over a quarter of all Dickey’s locations,” the Gemini researchers said
in a blog post.

James McQuiggan, security awareness advocate at security awareness
training firm KnowBe4 Inc., told SiliconANGLE that the criminals could
have lifted credit card information, names and possibly email
addresses.

“Anyone who has visited this organization in the past six months will
be wise to actively monitor their bank accounts and credit card
transactions for any fraudulent or suspicious charges,”  McQuiggan
noted. “If they discover any, they should report it as soon as
possible to the financial institution.”

Warren Poschman, senior solutions architect with data security company
comforte AG, said that with COVID-19 pushing businesses in the
fast-casual restaurant segment to the brink, attackers are taking
advantage of lax security while many are in survival mode. “Regardless
of the ill timing, organizations need to ensure that every step in the
payment cycle is secured from acquisition to settlement,” he said.

Saryu Nayyar, chief executive officer of security and risk analytics
firm Gurucul Solutions Pvt Ltd. A.G., noted that the credit card dump
indicates, for one, a lack of consistency and enforcement in PoS
terminal operations. “The fact that we are still seeing mag-stripe
based data, when chipped cards have been ubiquitous for years,
indicates that many retailers have not taken card security seriously,”
he said.

The second issue is the apparent fact that this breach was ongoing for
more than a year. “Organizations need to do more and quickly to
prevent this kind of theft,” Nayyar said. “They need to deploy the
latest PoS equipment, even at small franchise locations, and have an
up to date security stack, including behavioral analytics, that can
detect a breach long before three million customer credit card numbers
wind up for sale on the dark web. This was most likely entirely
preventable.”