Skip navigation
Hackers increasingly wreak havoc on industry

Hackers increasingly wreak havoc on industry

DALLAS —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Federal prosecutors this month indicted three suspects, two of whom were in jails in Turkey and Germany awaiting extradition, for allegedly stealing customers’ charge card data from computers at 11 of the Dave & Buster’s chain’s 49 units. The data from just one branch was blamed by authorities for banks’ losses of more than $600,000. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Not Your Average Joe’s, the 16-unit chain based in Dartmouth, Mass., still is dealing with the costly fallout from a data breach last year. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

And the management of Fat City Inc. of Sacramento, Calif., remains mystified about how hackers apparently pilfered information about at least 20 customers and led to a $90,000 fine against the restaurant group by a credit card issuer. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Some operators have paid a bigger price, experts say. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

“The combination of hard costs and damaged reputation associated with these incidents has literally put restaurants out of business,” said David Denney, a lawyer in Dallas who deals with many restaurant clients. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Hacking incidents have increased even as the foodservice companies have applied the controversial Payment Card Industry Data Security Standards, or PCI DSS, which took effect in September 2006 and are undergoing a revision. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Restaurants have not been alone in being attacked by hackers, some of whom are said to have targeted foodservice firms after doing damage to other kinds of businesses. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

The suspect being held in Turkey in the Dave & Buster’s case was identified as Maksym Yastremskiy of the Ukraine, who also is a key suspect in one of the largest hacker attacks ever. Massachusetts authorities have linked him to the breach of the computer system of TJX Cos. Inc. of Framingham, Mass., parent of the T.J. Maxx and Marshalls retail chains. Hackers in that attack, disclosed in January 2007, stole information from about 45 million credit cards and may be responsible for $197 million in illegal purchases. TJX has so far tentatively agreed to pay MasterCard as much as $24 million in possible losses and Visa as much as $40 million. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Lawyer Denney said: “Any agreement signed with a credit card processor [or] merchant bank will require the operator to comply with PCI-DSS. After the restaurant pays for a full audit of the POS system—about $10,000—it will retain virtually all liability for cardholder damages, the cost of reissuing cards [of] $25 to $30 per card, the credit card company’s attorneys’ fees, and fines and penalties charged by both the credit card company and the credit card processor.” —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

In addition, Denney said, “if a breach has occurred, the credit card processor can take from your bank account or withhold from processing upwards of $100,000 based on its estimate of what its loss, fines and/or penalties might be.” —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Dave & Buster’s, in a statement, said it was alerted to the hacking last August and immediately contacted the U.S. Secret Service. While Dave & Buster’s aided the government investigations, the company said, it also retained outside security experts who identified the source of the misused data. The company said it had implemented additional security measures to prevent any more such incident from occurring. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

The 11 Dave & Buster’s that were compromised are two units in Dallas and branches in Westminster, Colo.; Islandia, N.Y.; West Nyack, N.Y.; Utica, Mich.; downtown Chicago; Columbus, Ohio; Jacksonville, Fla; Austin, Texas; and Frisco, Texas. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Neither the company nor the government indicated the full extent of losses from the data breach. The Justice Department said that from one restaurant alone, “packet sniffer” code was used to capture data taken from about 5,000 credit cards, which then was sold to others who made purchases on the accounts. The theft from that individual restaurant eventually caused losses of at least $600,000 to issuing financial institutions, authorities indicated. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Dave & Buster’s said it does not store credit or debit card numbers or customer names. It said information to help in the identification of affected cardholders was provided to the credit card companies by Dave & Buster’s and Chase Paymentech Solutions LLC. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

“As soon as we became aware of the breach in August 2007, we took steps to secure our systems and remain confident that they are safe today,” said Steve King, chief executive of Dave & Buster’s. “We thank the Secret Service and the Department of Justice for their diligence in arresting and prosecuting those responsible for this crime and look forward to working closely with them during the pendency of this criminal matter.” —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

In addition to charges against Yastremskiy, the 27-count indictment also charged Aleksandr Suvorov of Estonia with wire fraud, identity theft and intercepts of electronic communications. Albert Gonzalez of Miami was charged with wire fraud conspiracy related to the scheme. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Not Your Average Joe’s, which still warns customers about the data breach at its website, said it has upgraded its computer security but that some customers have had fraudulent charges placed on their credit cards. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

The chain indicated that it couldn’t describe its safeguards “without compromising ongoing security,” but that it believes all data transmittals now are secure. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Bravo! Development Inc. of Columbus, Ohio, recently upgraded its computer security system for its 71 Bravo! Cucina Italiana, Brio Tuscan Grille and Bon Vie Bistro locations. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Kathleen L. Chugh, Bravo’s vice president of information technology, said: “We are concerned about protection of our consumer data. There are new threats and approaches to gain access to the data that are a threat to all of us.” —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

She said the new “universal threat management” device that Bravo installed “provides us the intrusion prevention and alerting that we need to address potential threats or security concerns.” —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

On May 14, the PCI Security Standards Council, a group of credit card issuers and processors, announced that it will be releasing a new version of the PCI Data Security Standard, version 1.2, in October. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

The upgrade should “minimize the risk of data breaches that can challenge the positive public perception of the security practices of merchants and financial institutions,” said the council’s general manager, Bob Russo. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

As more restaurants offer free Wi-Fi Internet access, that “can be an open door to hackers if your POS system isn’t separated or firewalled,” lawyer Denney said. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

The best defense, he added, “is a PCI-compliant POS system.” —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

“Even recently purchased software can be outdated and store things like unencrypted magnetic strip data, PINs [personal identity numbers] or security codes,” he said. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Denney advised that even if the credit card readers and data transmission gear used by a restaurant doesn’t comply with PCI standards, management should at least check to see that a firewall separates the POS system from the Internet; that antivirus upgrades are made routinely; system passwords are changed from default settings and revised regularly; and remote-access capabilities are disabled or used sparingly. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

“Your POS provider can tell you what data your system stores,” Denney said. “If you don’t need it, delete it. Furthermore, if you are storing old credit card slips that contain sensitive data, shred them or ensure they are secure.” —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

The fallout from a data breach not only costs money but also depletes the good will of patrons and financial backers, he warned. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

“Shaken investor confidence can decimate the stock value of public companies just as easily as broken trust can destroy an independent’s good will within a community,” Denney said. “The real question is whether to keep the breach quiet or go public. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

“While most restaurants would prefer that the information remain undisclosed, the ramifications would likely be even worse if it looked like the restaurant was trying to cover it up. —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

“If a security breach is discovered, you should take steps to remedy it and protect against future hacks, and any press release disclosing the breach should always be accompanied by a statement of what’s being done to protect customers.” —The criminal hacking of credit card data from restaurants’ point-of-sale systems has been increasing, despite the industry’s adoption of standards to protect customers’ personal information.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish