US cinema chain B&B Theaters is investigating a possible two-year breach of customer card details following a tip-off from a banking partner.
The Missouri-based firm said in a statement that it hired Trustwave to contain and mitigate the risk of any further losses.
It continued:
“While some malware was identified on B&B systems that dated back to 2015, the investigation completed by Trustwave did not conclude that customer data was at risk on all B&B systems for the entirety of the breach…
"Trustwave’s investigation has since shown the breach to be contained to the satisfaction of our processing partners as well as the major credit card brands. B&B Theaters values the security of our customers’ data and will continue to implement the latest available technologies to keep our networks & systems secure into the future.”
Estimates from the card companies which financial services sources relayed to Brian Krebs reveal that customers may have been exposed from April 2015 all the way to April this year.
The chances are that hackers managed to infiltrate the cinema company’s POS systems to scrape card magstripe data.
US companies are still dragging their heels over chip and PIN roll-outs despite new rules from the PCI SSC now placing all liability for follow-on fraud with the breached organisation, if they haven’t migrated to the new system.
John Christly, global CISO at managed security provider, Netsurion, argued that because the window of exposure was so long for B&B, many of the cards compromised may have already been cancelled as a result of being exposed in other breaches.
He added that with the underground market now flooded with stolen card data, cyber-criminals could turn to POS ransomware to generate profits.
“If retailers don’t protect themselves properly, this isn’t much of a stretch. Rather than gain access to a chain’s POS to exfiltrate credit cards over months or even years, cyber-criminals could deploy ransomware that shuts down the POS systems… effectively bringing the business and all revenue to a screeching halt,” argued Christly.
“This would likely prompt stores to pay the ransom right away, allowing the threat actors to profit within minutes. And with the impressive success of the global WannaCry and Petya outbreaks, cyber-criminals are taking notice of what works.”