On the same day this week, two restaurants and a convenience store, all with locations across the U.S., disclosed security breach incidents that may have enabled attackers to steal customer payment card data.
In all three cases, malware designed to collect magnetic stripe data was discovered on payment processing servers for card transactions.
Wawa store, food market, coffee shop, gas pump
The most prominent on this shortlist is Wawa convenience store chain, with all its locations potentially impacted starting March 4, 2019.
Current investigation results show that exposed payment card (debit and credit) information includes numbers, expiration dates, and cardholder names.
In the data breach notification on Thursday, Wawa informs that personal identification numbers (PIN) needed for approving transactions, typically above a specific limit, were not impacted. CVVs (card validation value) used for card-not-present purchases (online shopping) also remained safe.
Wawa’s security team found the malicious software on the payment processing servers on December 10 and was able to contain it by December 12. The investigation determined that the “malware began running at different points in time after March 4, 2019.”
Chris Gheysens, Wawa CEO, says that none of the impacted customers will support the fraudulent charges related to the incident. Free identity protection and credit monitoring services are provided free of charge Wawa customers whose information may have been involved.
The number of Islands restaurants impacted by the PoS malware incident disclosed on the same day as Wawa is 60. Most of them are in California, other locations being in Arizona, Hawaii, and Nevada.
The restaurant was alerted of a potential payment card issue and an investigation revealed that there was a reason for concern.
Not all devices in all restaurants were compromised. A list of Islands affected locations is accessible from the breach disclosure page.
The PoS malware campaign began on February 13 and kept at it until September 27, compromising locations on various dates. It searched for data on the magnetic stripe that contained the cardholder name, card number, expiration date, and internal verification code.
Islands restaurants’ notification states that malware is no longer present on payment card processing devices at its locations.
Champagne French Bakery Cafe
The restaurant announced the data breach on the same day as Wawa but details are different. Following an alert regarding PoS malware, Champagne initiated an investigation with the help of a computer forensics company.
The inspection revealed that PoS malware had been installed starting February 13 at various locations. Starting this date and continuing through September 27, “malware was installed on certain point-of-sale devices in our restaurants that were used for payment card transactions,” reads the notification.
According to the official statement, eight locations were compromised and at seven of them, card data could not be extracted in some weeks in March, just like in the case of the Islands compromise.
Similar to the incident affecting Islands restaurants, the following data from the magnetic stripe was exposed: cardholder name, card number, expiration date, and internal verification code. Also, the malware did not always identify the owner’s name in the payment card info, something that Islands also mentioned in their disclosure.
Neither Champagne nor Islands provide free identity protection and credit monitoring services but inform their customers once a year they can request a free copy of their credit report.