According to notable security watcher Brian Krebs of the website Krebs on Security, a hacker released information on more than 3 million credit cards in a major Dickey’s Barbecue Pit-related breach.
According to Krebs, a file containing the credit cards showed up on an illicit credit card “bazaar” on October 13. The cards had a high “valid rate,” which Krebs wrote is “typically an indicator that the breached merchant is either unaware of the compromise or has only just begun responding to it.”
According to Q6Cyber and Gemini Advisors, two companies that track stolen credit card data, all the cards linked to 156 of the company’s 469 locations. According to Gemini Advisors, that suggests that it might not be a Dickey’s breach, but potentially a central processor of transactions or a POS provider. The details are so far unclear.
The breach seems to have captured nearly all the key information of those cards used in the system from July 2019 and August 2020. The highest exposure, wrote Krebs, was in Arizona and California, but the breach affected locations across the country, as seen in the below graphic from Gemini Advisors.
Dickey’s released a statement saying it’s trying to figure out the size and scope of the breach.
“We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved,” read the statement. “We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”
While it’s distressing, Dickey’s is in good company. Third-party delivery provider Chowbus announced a data breach of more than 800,000 customer records back in October, and both Sonic and Wendy’s have seen major breaches in the past few years. Where exactly the security hole was also remains to be seen.
According to IBM, the average cost of a data breach reached $3.86 million in 2019 and it takes, on average, 280 days to identify and contain a breach. That’s some insult to the injury of 2020, though Dickey’s continues to grow. It added 28 locations in the third quarter.
The breach serves as yet another stark reminder that restaurant companies need to have a plan in place for something like this.
Faegre Drinker partner Paul Luehr, the leader of the firm’s global privacy and cyber security practice, said during a 2017 panel that being secure isn’t just for the IT guys in the basement anymore.
"It’s now the duty of all of us to deal with cyber security—all the way up to the highest levels, to the board of directors," said Luehr.
That advice rings more true now than ever.