Striped cards culprits in fast-food security breaches

In the past month, a handful of Capital Region sites appeared on lists of restaurants affected by se

In the past month, a handful of Capital Region sites appeared on lists of restaurants affected by security breaches at fast-food chains Wendy’s and Noodles & Co.

Then on Tuesday, a third chain, Cici’s Pizza, ended weeks of speculation by confirming that it too suffered a theft of customer debit and credit card information after its point-of-sale system was compromised.

What’s with all the fast-food hacks?

Blame old-guard magnetic stripe cards.

A Chicago company that works with businesses to protect data and fight cybercrime says the food and beverage segment was among the top three industries for breaches last year.

Trustwave Holdings, which in April released its 2016 Global Security Report, said that 10 percent of the hundreds of data-compromise investigations it undertook last year involved businesses in the food/beverage category — restaurants, supermarkets and similar establishments.

The retail industry ranked No. 1 at 23 percent of breach investigations, followed by the hospitality sector at 14 percent, according to the report.

Verizon, which annually compiles the well-regarded Data Breach Investigations Report, similarly cited the categories in its 2016 study as accounting for “a more significant percentage of breaches” than others. “This is unsurprising as they process information which is highly desirable to financially motivated criminals,” the report noted.

According to Trustwave, the bulk of compromises in the food/beverage sector occurred at the payment terminal at checkout. The point-of-sale, or POS, terminals process payment cards using magnetic-stripe scanners and chip-card readers, which are usually networked to transmit card and sale data to a centralized location or financial institution.

Malware loaded onto the system can grab customer information stored on the magnetic stripe as the card slides through the terminal; it’s nearly impossible to get that from the new EMV cards embedded with a computer chip because a unique code is produced with each transaction. But not every restaurant has chip-card readers, even though merchants and banks agreed last year to push each other toward the new technology.

Trustwave says the majority of intrusions affecting POS systems involved malicious remote access, which news releases from Wendy’s, Noodles and Cici’s indicated they all experienced.

Wendy’s went online earlier this month with an easy-to-use list of affected restaurants that included one location each in Colonie, Johnstown, Latham and Schenectady. Cards used between Jan. 13 and June 8 likely were affected; in Johnstown, the breach dated to Dec. 2 last year. Noodles said its affected restaurants included the one at Crossgates Commons in Albany. The breach period ran from Jan. 31 to June 2.

Cici’s has only one New York location, on Wolf Road in Colonie, but that site was not on the list of affected restaurants released Tuesday.

Although EMV adoption in the United States “still has a long way to go,” says Trustwave, “we expect to see fewer POS incidents in North America in 2016 and thereafter.”

Marlene Kennedy is a freelance columnist. Opinions expressed in her column are her own and not necessarily the newspaper’s. Reach her at [email protected]

Categories: Uncategorized

Leave a Reply