Credit card-stealing malware infests nearly 100 Zaxby's chicken restaurants

We'll take a side of malware with that extra crispy meal...
We'll take a side of malware with that extra crispy meal...

Zaxby’s learned of the issue when its credit card processing companies identified certain locations as common points of purchase for fraudulent credit card activity. The company said that during the course of the investigation it “identified some suspicious malware files on the licensees’ computer systems at several Zaxby’s locations.”

“Because those malware files could have been used to export guest names and credit and debit card numbers, Zaxby’s Franchising informed appropriate law enforcement authorities of the potential criminal activity,” it said in a public notice listing all of the stores affected. “Zaxby’s Franchising is working with all of its store locations to implement additional security measures to prevent further intrusions.”

It said that while it has no knowledge of whether the information was actually stolen, it would err on the side of caution.

“Although the forensic investigation has not determined whether credit or debit card data left the processing systems of any of the locations, Zaxby’s Franchising is concerned that the existence of the suspicious files could indicate that an attacker or attackers may have accessed data, including credit and debit card information," the company said in a statement. Just to be sure, Zaxby’s is offering its customers free credit report services in the wake of the discovery.

Verizon found in its 2012 Data Breach Investigations Report that the food industry was a top target for hackers, accounting for 54% of all data breaches studied by the company. One of the most high-profile cases is the Subway restaurant hacks, in which Romanian attackers remotely targeted 150 Subway locations and other stores to steal point-of-sale credit card information from 146,000 customers between 2009 and 2011.

Some say that these types of breaches are eminently preventable. “These days, there’s absolutely no need for merchants or franchises to store credit, debit and member information without protecting the data itself, using what’s called data-centric security,” said Mark Bower, vice president at Voltage Security, in an email to Infosecurity. “The threats of malware are well-known and have compromised retailer after retailer. That’s why leading payment processors offer solutions to eliminate this risk with point-to-point encryption (P2PE) and tokenization solutions – turning the high-value payment and identity data the attackers are after (the gold), into straw.”

“If merchants are handling sensitive customer data, like Social Security numbers, names and addresses, then they need to consider data-centric security there too, in order to reduce the risk of fines, public notifications and losing customer loyalty if their data is compromised,” Bower counseled.

What’s hot on Infosecurity Magazine?