Dickey's BBQ Breach: Meaty 3M Payment Card Upload Drops on Joker's Stash

Dickey's BBQ Breach: Meaty 3M Payment Card Upload Drops on Joker's Stash

After cybercriminals smoked out 3 million compromised payment cards on the Joker’s Stash marketplace, researchers linked the data to a breach at the popular barbecue franchise.

Popular U.S. smoked-meat franchise Dickey’s Barbecue Pit has been hit with a data breach, with cybercriminals posting the fat cap of the compromised data – 3 million payment cards – on the popular Joker’s Stash underground marketplace this week.

The Dallas-based franchise, which is a subsidiary of Dickey’s Capital Group, has 469 locations (411 of which are currently open during the pandemic) across 42 states. Researchers believe that the meat of the compromised data came from 156 of these locations across 30 states. They also believe the exposure window appears to be between July 2019 and August 2020.

In a statement sent to Threatpost, Dickey’s confirmed the breach and said it is currently focused on determining the locations affected and time frames involved.

“We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway,” according to the statement. “We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”

Researchers with Gemini Advisory shed light on the details of the breach when they discovered the upload on the Joker’s Stash, a popular underground destination that specializes in trading in payment-card data. This marketplace is known for advertising and uploading major breaches containing millions of compromised cards, including the Wawa breach – which dropped 30 million payment cards – from January.

Researchers said they observed the marketplace administrator setting the compromised data live on Oct. 12. The administrators claimed the breached data, which they called BLAZINGSUN, is comprised of 3 million compromised cards with a median price of $17 per card.

Gemini Advisory researchers claim that payment transactions of the franchise may have been processed on point-of-sale (PoS) systems via the outdated magnetic stripe card method – which they said is prone to malware attacks.

Security experts have advocated for retailers to switch over to chip-card readers, which contain an embedded microprocessor that encrypts the card data, implement the EMV standard (which stands for Europay, MasterCard and Visa, and is a global standard for chip cards’ compatibility with point-of-sale terminals), and are in theory a more secure alternative to magnetic stripe cards.

“It remains unclear if the affected restaurants were using outdated terminals or if the EMV terminals were misconfigured; either of these possibilities may hold serious liability for Dickey’s,” researchers said.

Another piece of the equation is that because Dickey’s operates on a franchise model, each location may have been able to dictate the type of POS device and processors that they utilize – so some locations may be affected by the breach, while others may not be, said researchers.

breach hacks web security breach dark web data breach dickey’s barbeque pit joker’s stash magstripe point of sale retail underground marketplace

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

Chris Vickery: AI Will Drive Tomorrow’s Data Breaches

Chris Vickery talks about his craziest data breach discoveries and why "vishing" is the next top threat no one's ready for.

Enterprise Data Security: It’s Time to Flip the Established Approach

Enterprise Data Security: It’s Time to Flip the Established Approach. Companies should forget about auditing where data resides and who has access to it.

Applications Of Data Science On 3D Imagery Data

The agenda of the talk included an introduction to 3D data, its applications and case studies, 3D data alignment and more.

Hackers Sell Data from 26 Million LiveJournal Users on Dark Web

Hackers Sell Data from 26 Million LiveJournal Users on Dark Web. Passwords and other credentials have been listed on Have I Been Pwned as attack rumors circulate.

Unsecured Microsoft Bing Server Leaked Search Queries, Location Data

Data exposed included search terms, location coordinates, and device information – but no personal data.