Earl Enterprises, the parent company of a handful of restaurants, including Buca di Beppo, Earl of Sandwich, and Planet Hollywood, revealed last week that a slew of its eateries have been impacted by a nearly yearlong payment card breach, resulting in some two million stolen credit card numbers.
The hospitality firm disclosed the breach, about a month after cybersecurity reporter Brian Krebs pinged Buca di Beppo and informed the company he noticed some of its customers' credit and debit card numbers being sold on an underground carding forum.
Earl Enterprises, which also counts restaurants like Chicken Guy!, Mixology, and Tequila Taqueria, among its clientele, said that all of its restaurants were impacted in some way, shape or form by the breach, after attackers installed malicious, presumably point of sale malware, on its systems.
The dates and affected transactions vary by restaurant and location but most were hit for 10 months, between May 23, 2018 and March 18, 2019. It's unclear exactly what the attackers made off with but according to the company, the software was designed to capture payment card data, including card numbers, expiration dates, and potentially, cardholder names.
The company, which is based in Orlando, Fla., didn't say how many diners may have had their card info swiped but according to Krebs, the two million credit cards he spotted being sold in the cybercrime underground are the same as those impacted by the breach.
As is usually the case with incidents like this, Earl Enterprises declined to name the strain malware, how it may have gotten on its restaurants' systems, or how it resolved the issue. The company only said it contained the incident and would be working "diligently with security experts on further remediation efforts."
In order to place POS malware on a system, attackers either have to physically alter a POS device or exploit a vulnerability over the target's network in order to infect it. From there, the malware usually scrapes Track 1 and Track 2 data before it’s encrypted and sent off to a payment processor.
POS malware has remained a powerful tool for attackers looking to exfiltrate card data - commonly from the food and hospitality industry – for years, with new variants continuing to surface and spread in the wild. Researchers, both with Flashpoint and Cisco Talos, uncovered two types of POS malware last month.
Researchers with the former that the creators of one strain, DMSniff, have been using a domain generation algorithm (DGA) to change up its command and control domains to evade detection.
The technique, which researchers said is highly unique for POS malware, enables attackers to continue sharing commands or data even if a domain is taken down. It can also help them bypass any trivial blocking mechanisms. The malware, which has apparently lingered for the better part of four years before being uncovered, has mostly hit restaurants and theaters, Flashpoint said.
Around the same time Flashpoint published their findings, researchers with Cisco's Talos Group said that they had uncovered a new strain of POS malware as well.
The variant they discovered, GlitchPOS, is especially easy to use, according to the firm's Warren Mercer and Paul Rascagneres.
"This is a case where the average user could purchase all the tools necessary to set up their own credit card-skimming botnet," the two said.
Unlike DMSniff, GlitchPOS is a new creation; the first utterance of he malware came on an underground forum in February. While generally more expensive than most types of POS malware - Talos says the built malware runs for $250, the builder for $600, and the gate address change is $80 - Glitch does appear easy to use, which could appear to would-be attackers.
According to Verizon's 2018 Payment Security Report, compliance with Payment Card Industry Data Security Standard (PCI DSS) - full compliance at an interim assessment - was down in 2018 for the first time in six years.
Organizations looking to achieve PCI/DSS compliance should manage it as part of a broader data protection program initiative to ensure customer financial data can be found and, encrypted, and protected at rest, in use and in motion.