Pierluigi Paganini December 23, 2019

The news of two new payment card breaches made the headlines, the victims are the Islands restaurant chain and Champagne French Bakery Cafe.

The new restaurant chains with locations across the U.S. disclosed payment card breaches, in both cases, attackers used PoS malware to capture card data stored in the magnetic stripe.

Exposed data includes cardholder name, card number, expiration date, and internal verification code.

A PoS-malware infected 60 restaurants of the Burger chain Islands in California, Arizona, Hawaii, Nevada, and other locations.

“Islands Restaurants was alerted to a potential payment card issue, immediately started an investigation, and took steps to end unauthorized access to our payment card network.” reads the data breach notice issued by the Burger Chain. “A leading computer forensic firm was engaged, and a thorough investigation was conducted to determine what occurred and what restaurant locations and time frames were involved. Islands notified the card networks and provided information to support an investigation by law enforcement.”

According to Burger chain Islands Restaurants, the incident took place earlier this year, but the timeframe of the incident varies by store location. The malware was active between February 18, 2019, and September 27, 2019.

The list of affected locations is available here, not all restaurants were impacted, and for some affected restaurants only some devices were infected. The company informed its customers that the malware has been removed from all locations.

Customers should remain vigilant to the possibility of fraud by reviewing their payment card statements for any unauthorized activity. 

Champagne French Bakery Café also disclosed a payment card breach that involved a point-of-sale malware. The malicious code allowed crooks to capture cardholder name, card number, expiration date, and internal verification code.

“Champagne French Bakery Café was alerted to a potential payment card issue, immediately started an investigation, and took steps to end unauthorized access to our payment card network.” reads the data breach notification published by the company.

“Over the general time frame of February 13, 2019 to September 27, 2019, malware was installed on certain point-of-sale devices in Champagne Bakery restaurants that were used for payment card transactions. The time frames involved vary by restaurant.”

The company states that for 7 of the 8 restaurants involved, the malware failed in obtaining the payment card data in certain weeks in March 2019.

The company confirmed that the PoS malware has been removed from all its systems at the impacted locations.

Both Champagne and Islands companies did not provide free identity protection and credit monitoring services.

Pierluigi Paganini

(SecurityAffairs – Islands, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]