Another popular US restaurant franchise appears to have been on the receiving end of a major point of sale (PoS) data breach, with dark web traders claiming to have three million cards to sell.
Threat intelligence firm Gemini Advisory analyzed data uploaded to infamous carding forum Joker’s Stash and revealed that Dickey’s Barbecue Pit is the affected restaurant chain.
It said that customers in around a third of locations, 156 of 469, across 30 states may have had their cards compromised between July 2019 and August 2020.
“Dickey’s operates on a franchise model, which often allows each location to dictate the type of PoS device and processors that they utilize,” said the vendor.
“However, given the widespread nature of the breach, the exposure may be linked to a breach of the single central processor, which was leveraged by over a quarter of all Dickey’s locations.”
The dark web seller advertising the cards, BlazingSun, has not uploaded the entire stash yet, and will likely continue to add compromised data over the next few months, Gemini Advisory said.
“Gemini sources have also determined that the payment transactions were processed via the outdated magstripe method, which is prone to malware attacks,” it concluded. “It remains unclear if the affected restaurants were using outdated terminals or if the EMV terminals were misconfigured; either of these possibilities may hold serious liability for Dickey’s.”
After the shift to EMV, merchants which continue to process magstripe could face legal action and fines if breached. The practice is far more common in the US, which made the switch to more secure cards relatively late compared to much of Western Europe, which is why PoS breaches like this still occur.