The Latest Retail Breaches: Third-Party Data Breaches
Third-party data breaches have been dominating the headlines in 2019, with a lot of the recent news stories focusing on retail companies being hacked. The common theme? Third-party Point of Sale (POS) breaches.
With the average third-party data breach costing $7.5 million to remediate, it’s time for retailers to take a true risk-based approach when it comes to their third-party ecosystem. Let’s take a look at the latest data breaches that have effected the retail industry.
Related: The Anatomy of a Third-Party Data Breach
Checker’s Restaurants
Exposed records: Unknown
Reported May 2019
One of the largest drive-through restaurants in the U.S., Checker’s operates in 28 states. They were recently attacked by Point of Sale (POS) malware, which impacted 15% of their stores across the U.S. The malware was designed to collect data stored on the magnetic strip of payment cards – from cardholder names and card numbers to card verification codes and expiry dates. Records were exposed as early as December 2015 to as recently as April 2019.
“Point-of-sale security is proving to be an enormous challenge as attackers increasingly target the hospitality industry in hopes of accessing sensitive payment data,” Fred Kneip, CEO of CyberGRX, told Threatpost. “The Checkers/Rally’s incident is the most recent in a history of attacks targeting similar companies like Applebee’s, Wendy’s and Sonic. Third-party attacks are commonplace and restaurants must have dynamic visibility into the business exposure and cyber risk posed by their extended ecosystem so they can identify and mitigate security gaps that serve as open invitations to malicious actors.”
Hy-Vee
Exposed Records: Unknown
Reported August 2019
Hy-Vee is currently investigating security issues with their POS systems across all of their businesses – from fuel pumps to drive-thru coffee shops, restaurants, and store-owned Wahlburgers locations.
“Our investigation is focused on card transactions at our fuel pumps, drive-thru coffee shops, and restaurants,” the Hy-Vee statement said. “These locations have different point-of-sale systems than those located at our grocery stores, drugstores and inside our convenience stores, which utilize point-to-point encryption technology for processing payment card transactions.”
Related: The Top 5 Cyber Threats To Businesses in 2019
Earl Enterprises
Exposed Records: Unknown
Reported April 2019
Parent company of popular eateries and stores such as Buca Di Beppo, Mixology, and Planet Hollywood, Earl Enterprises suffered a breach that left customer payment information exposed from May 2018 to March 2019.
“Based on the investigation, it appears that unauthorized individuals installed malicious software on some point-of-sale systems at a certain number of Earl Enterprises’ restaurants,” the Earl Enterprise statement reads.
Forever 21
Exposed Records: Unknown
Reported January 2018
Popular fast-fashion retailer, Forever 21, was breached for at least 7 months in 2017, a hack that was reported in January of 2018. Compromised POS devices gave hackers access to customers’ payment cards after Hackers obtained network access and installed malware that could harvest payment card data.