Dallas-Based Restaurant Chain Confirms POS Breach

Data Breach

Security Experts Say Restaurants Are Increasingly Targeted Dallas-Based Restaurant Chain Confirms POS Breach

A Dallas-based restaurant chain says a malware attack waged against its point-of-sale system apparently compromised payment cards at all of its 29 locations in seven states between Aug. 12 and Dec. 4.

See Also: Trust, But Verify: The Evolution of Vendor Risk Management in Financial Institutions

CM Ebar LLC, which owns the Elephant Bar restaurant chain, revealed the breach on Dec. 8 after its payments processor alerted it Nov. 3 of a potential intrusion. Twenty restaurants in California, three in Colorado, two in Arizona and one each in Florida, Missouri, Nevada and New Mexico - were affected, the company says.

A list of each Elephant Bar location that was affected, along with specific date ranges of the compromise, is posted on Elephant Bar's website.

Worrisome Trend

Al Pascual, director of fraud and security at Javelin Strategy & Research, says POS breaches at restaurant chains are becoming an increasingly worrisome trend. One of the most significant of these breaches hit 33 P.F. Chang's locations in 18 states. That incident, like the Elephant Bar breach, involved POS malware.

Another payments fraud expert, who asked to remain unnamed, says POS malware attacks are increasingly being waged against smaller, regional merchants and restaurant chains, which have seemingly been easier-to-strike targets.

"I'm wondering how many more of these we will need to see before restaurants come around to EMV," Pascual says. "Going with a contactless EMV terminal would accommodate growing use of mobile-proximity payments like Apple Pay, which will represent 1.3 billion total transactions in the U.S. by 2019, and reduce the risk of breaches, as EMV data is significantly less attractive to compromise."

Malware Attack

In a statement about the breach, CM Ebar LLC notes: "Based upon an extensive forensic investigation, it appears that unauthorized individuals installed malicious software on our payment processing systems at certain restaurant locations designed to capture payment card information, including cardholder name, payment card account number, card expiration date and verification code.

"Although this incident did not include Social Security numbers, addresses or other sensitive personal information, as an additional precaution, we are providing information and resources to help customers protect their identities."

A spokeswoman for CM Ebar tells Information Security Media Group that the incident is still under investigation. The malware, which was designed to capture payment card information in real-time from the chain's point-of-sale servers, has been disabled, and all POS and card processing systems have been reconfigured, she says. Elephant Bar's POS systems run on a Microsoft Windows-based platform, she adds.

"We don't know how many cards were impacted," the spokeswoman says. "We are hoping to get that information from our processor."

Elephant Bar would not name the processor it uses nor the malware strain that infected its system.

Determining the Impact

Card issuers contacted by ISMG say they, too, are still trying figure out the breadth of the breach.

One executive with a major card issuer on the West Coast, who asked not to be named, says Elephant Bar was recognized by many issuers as a common point of compromise for cards hit with fraudulent transactions. But determining the amount of fraud and the number of cards impacted by the Elephant Bar breach has proven difficult, the executive says.

"We have exposure in the California, Colorado and Missouri areas, but much less in the other states," the executive says. "We are always interested in trying to figure out where to look when trying to find the source of the breach. With the POS software issues of the last 18 months, this has become very difficult and elusive."