Incident Of The Week: Wawa, Champagne French Bakery Café And Islands Restaurants Disclose Retail Malware
Point-Of-Sale Terminals Infected For Months Capture Payment Card Information
A trio of retailers disclosed payment card incidents this week resulting in data breaches. Bad actors are infecting point-of-sale (POS) terminals with malware. The malware captures payment card information before it enters the transaction processing system.
POS Malware: Wawa Convenience and Fuel Retailer
Retail chain Wawa disclosed that it had discovered malware on its payment processing servers earlier this month. An external forensics team determined that the malware began running at different points in time about 9 months earlier.
“I apologize deeply to all of you, our friends and neighbors, for this incident,” wrote Wawa CEO Chris Gheysens in a letter to the company’s customers. “You are my top priority and are critically important to all of the nearly 37,000 associates at Wawa. We take this special relationship with you and the protection of your information very seriously.”
The company stated that payment card information was captured as a result of the malware infection though no customer PINs nor CVV data was involved. Wawa is a chain of 850 convenience and fuel retail stores located in Delaware, Florida, Maryland, New Jersey, Pennsylvania, Virginia, and Washington, DC.
POS Malware: Champagne French Bakery Café
Champagne French Bakery Café disclosed that it discovered malware installed on certain point-of-sale devices in the company’s restaurants that were used for payment card transactions. The malware was designed to capture data when the magnetic card strip was read as it was being routed through the system. Data passed in the swipe process included the cardholder name, card number, expiration date, and internal verification code.
In some instances, the forensics found that malware only identified the portion of the magnetic stripe that contained payment card information without the cardholder name. Customer transactions from payment card swipes during February 18, 2019 to September 27, 2019 were potentially impacted. Eight restaurants in Southern California were involved in the data incident.
POS Malware: Islands Restaurants
Burger chain Islands Restaurants disclosed that a payment card incident occurred earlier in the year where malware was found to be infecting POS terminals. The timeframe of the incident varies by store location, but was generally found to be active from February 18, 2019 to September 27, 2019. The chain identified 50 stores across cities in Arizona, California, Hawaii and Nevada impacted by the malware.
The methods used to deliver the malware and some of the limitations discovered by forensics investigation were the same as those discussed in the Champagne French Bakery disclosure. Both chains have common ownership based in Carlsbad, CA.
Legacy POS Terminals Remain Dominant Form Of Payment
A couple of years have passed since U.S. banks and credit card companies made a push to replace payment cards with an embedded chip + PIN combination. The process has alleviated payment card skimming and malware infections, though uptake of both customer cards as well as enforcing updated POS terminals in convenient "swipe and go" use cases remains a going concern. Attackers can infect an entire business with malware on these machines with little effort, making the data heist possible with minimal skills or effort.