Popular U.S. smoked-meat franchise Dickey’s Barbecue Pit has been hit with a data breach, with cybercriminals posting the fat cap of the compromised data – 3 million payment cards – on the popular Joker’s Stash underground marketplace this week.

The Dallas-based franchise, which is a subsidiary of Dickey’s Capital Group, has 469 locations (411 of which are currently open during the pandemic) across 42 states. Researchers believe that the meat of the compromised data came from 156 of these locations across 30 states. They also believe the exposure window appears to be between July 2019 and August 2020.

In a statement sent to Threatpost, Dickey’s confirmed the breach and said it is currently focused on determining the locations affected and time frames involved.

“We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway,” according to the statement. “We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”

Researchers with Gemini Advisory shed light on the details of the breach when they discovered the upload on the Joker’s Stash, a popular underground destination that specializes in trading in payment-card data. This marketplace is known for advertising and uploading major breaches containing millions of compromised cards, including the Wawa breach – which dropped 30 million payment cards – from January.

Researchers said they observed the marketplace administrator setting the compromised data live on Oct. 12. The administrators claimed the breached data, which they called BLAZINGSUN, is comprised of 3 million compromised cards with a median price of $17 per card.

Gemini Advisory researchers claim that payment transactions of the franchise may have been processed on point-of-sale (PoS) systems via the outdated magnetic stripe card method – which they said is prone to malware attacks.

Security experts have advocated for retailers to switch over to chip-card readers, which contain an embedded microprocessor that encrypts the card data, implement the EMV standard (which stands for Europay, MasterCard and Visa, and is a global standard for chip cards’ compatibility with point-of-sale terminals), and are in theory a more secure alternative to magnetic stripe cards.

“It remains unclear if the affected restaurants were using outdated terminals or if the EMV terminals were misconfigured; either of these possibilities may hold serious liability for Dickey’s,” researchers said.

Another piece of the equation is that because Dickey’s operates on a franchise model, each location may have been able to dictate the type of POS device and processors that they utilize – so some locations may be affected by the breach, while others may not be, said researchers.

#breach #hacks #web security #breach #dark web #data breach #dickey’s barbeque pit #joker’s stash #magstripe #point of sale #retail #underground marketplace

Dickey's BBQ Breach: Meaty 3M Payment Card Upload Drops on Joker's Stash
1.05 GEEK