Hundreds of restaurants in the Pacific Northwest may have been hit by a data breach caused by flaws in a point-of-sale system supplied by Information Systems and Supplies, idRADAR News reports.
In a letter [pdf] to its restaurant customers, ISS admits that customer credit card data entered into its POS system may have been stolen. The company discovered that its Log-Me-In account had been breached on three occasions between February 28 and April 18 of this year.
“We have reason to believe that the data accessed could include credit card information from any cards used by your customers between these dates,” writes ISS President Thomas Potter. He went on to relate that ISS changed all of its Log-Me-In credentials and put in place a secondary unique password to prevent “further malicious activity” and ran a virus scan at all of its sites.
The Log-Me-In account enables customers to get help desk support from ISS about the POS system, which provides ISS staff remote access to client POS systems and computers.
Potter tells idRADAR News that his company had retained TrustWave to conduct a forensics investigation. “They are reverse engineering the malware so that they and the Secret Service know where it originated. The hacker never got into our network. Only into our Log-Me-In account,” Potter adds.
ISS clients in the Pacific Northwest include Buffalo Wild Wings, Dairy Queen, Flat Tail Brewing, Double Mountain Brewery and Taco Time.
The report estimates that up to 290 dining locations could be affected by the breach, which would make it larger than the breach at P. F. Chang’s last month. In that breach, thousands of credit and debit cards were stolen from P.F. Chang’s restaurant locations and sold in the cyber underground. P.F. Chang’s has 210 restaurants in the United States.
In an update, P.F. Chang’s CEO Rick Federico says in a July 1 statement that the data breach was the work of a “highly sophisticated criminal operation that is being investigated by both the United States Secret Service and a team of third-party forensic experts.”
Federico said that investigation was continuing and his company would share additional details when “confirmed by the investigators.”
July 2, 2014 | By Fred Donovan