US chain Caribou Coffee announced a payment card data breach on Thursday, listing 265 outlets across 11 states that had been affected.
It claimed to have identified unusual network activity on November 28, enlisting the help of Mandiant, which subsequently found evidence of unauthorized access to point of sales (POS) systems two days later.
The firm claimed it is confident that this access was stopped immediately and the breach contained. However, it is warning that an unspecified number of customers may have had their payment card details taken.
“If you visited any of our company-owned Caribou locations between August 28, 2018 and December 3, 2018, there is a possibility that your name and credit card information, including card number, expiration date and card security code may have been accessed as a result of this unauthorized activity,” it stated.
“Payments made through your Caribou Coffee Perks account or other loyalty account were not affected. Any catering orders placed online with Bruegger’s Bagels, Einstein Bros. Bagels, Manhattan Bagel and Noah’s NY Bagels were also not affected by this breach.”
The firm urged customers to check the list of outlets affected and monitor their credit/debt card transactions carefully.
It does not appear to be offering any free credit monitoring or credit freeze services.
The incident proves POS malware remains a threat for businesses handling card data. The advent of EMV was meant to deter attackers, because it includes additional security measures to make it difficult to clone cards following a card-present breach.
However, many merchants are making the hackers’ job easier by continuing to use EMV cards' fallback magstripe functionality, according to recent research.
Gemini Advisory claimed in November that of the 60 million US payment cards compromised in the previous 12 months, 75% were stolen at POS and 90% of these were EMV-enabled.
“As 2018 comes to a close, besides refuelling stations, there are numerous merchant locations that are still asking their customers to swipe rather than use the chip insert method, thus completely neglecting the EMV security features,” it warned.
“This often happens because the merchant does not have an upgraded EMV enabled POS or the merchant has the EMV enabled POS system but is not using its full capabilities. In some cases, retailers are opposing migration to newer EMV technology because of the inherent high cost of the equipment.”