Checkers, one of the largest drive-through restaurant chains in the United States, disclosed a massive long-running data breach yesterday that affected an unknown number of customers at 103 of its Checkers and Rally’s locations—nearly 15% of its restaurants.
Indicating that the company was severely slow in detecting the hacks, the time frames for the infection and data theft vary, with some locations being infected with the point-of-sale malware as early as 2015.
The impacted restaurants [name, addresses and exposure dates] reside in 20 states, including Florida, California, Michigan, New York, Nevada, New Jersey, Florida, Georgia, Ohio, Illinois, Indiana, Delaware, Kentucky, Louisiana, Alabama, North Carolina, Pennsylvania, Tennessee, West Virginia and Virginia.
The PoS malware was designed to collect information stored on the magnetic stripe of payment cards, including cardholder’s name, payment card number, card verification code, and expiration date.
As is typical in these cases, Checkers has informed law enforcement, hired third-party security experts and said it’s working with payment card companies in an effort to protect cardholders. That’s little solace to customers, however, who could have had their credit card details stolen for a period as long as four years.
Robert Capps, vice president of business development at behavioral biometrics firm NuData Security, told Hack Hex that point-of-sale systems are a prime target for cybercriminals because once they plant their malware, they can easily siphon off credit card information.
According to the exposure dates mention on the list of impacted restaurants:
- One restaurant in California had PoS malware installed on its system in December 2015, which continually captured customers payment card information until March 2018.
- Two restaurants, one in California and other in Florida, were backdoored with the PoS malware in 2016, allowing hackers to remotely steal until 2018 and 2019, respectively.
- Four restaurants in four different states were infected in 2017 and remained infected between early 2018 and 2019.
- Remaining restaurants were infected in 2018 and remained active until early 2019.
Jonathan Bensen, senior director of product management and chief information security officer at breach avoidance platform firm Balbix Inc., took particular issue with the fact that some locations were infected going back to 2015.
“The amount of time that passed from when the first restaurant location was infected with the malware to the time the company detected the intrusion is unacceptable,” Bensen said. “Armed with data including cardholder names, payment card numbers, verification codes and expiration dates, malicious actors can make fraudulent purchases and sell this information on the dark web, causing great harm to impacted customers.”
So, if you have visited any of the affected locations during its exposure date, you are highly recommended to review your account statements for suspicious transactions, and if come across any, immediately contact the card issuer and consider placing a fraud alert or security freeze on your credit file at Equifax, Experian, and TransUnion.