The Latest Retail Breaches: Third-Party Data Breaches

Third-party data breaches have been dominating the headlines in 2019, with a lot of the recent news stories focusing on retail companies being hacked. The common theme? Third-party Point of Sale (POS) breaches.

With the average third-party data breach costing $7.5 million to remediate, it’s time for retailers to take a true risk-based approach when it comes to their third-party ecosystem. Let’s take a look at the latest data breaches that have effected the retail industry.

Related: The Anatomy of a Third-Party Data Breach

Checker’s Restaurants

Exposed records: Unknown

Reported May 2019

One of the largest drive-through restaurants in the U.S., Checker’s operates in 28 states. They were recently attacked by Point of Sale (POS) malware, which impacted 15% of their stores across the U.S. The malware was designed to collect data stored on the magnetic strip of payment cards – from cardholder names and card numbers to card verification codes and expiry dates. Records were exposed as early as December 2015 to as recently as April 2019.

“Point-of-sale security is proving to be an enormous challenge as attackers increasingly target the hospitality industry in hopes of accessing sensitive payment data,” Fred Kneip, CEO of CyberGRX, told Threatpost. “The Checkers/Rally’s incident is the most recent in a history of attacks targeting similar companies like Applebee’s, Wendy’s and Sonic. Third-party attacks are commonplace and restaurants must have dynamic visibility into the business exposure and cyber risk posed by their extended ecosystem so they can identify and mitigate security gaps that serve as open invitations to malicious actors.”

Hy-Vee

Exposed Records: Unknown

Reported August 2019

Hy-Vee is currently investigating security issues with their POS systems across all of their businesses – from fuel pumps to drive-thru coffee shops, restaurants, and store-owned Wahlburgers locations.

“Our investigation is focused on card transactions at our fuel pumps, drive-thru coffee shops, and restaurants,” the Hy-Vee statement said. “These locations have different point-of-sale systems than those located at our grocery stores, drugstores and inside our convenience stores, which utilize point-to-point encryption technology for processing payment card transactions.”

Related: The Top 5 Cyber Threats To Businesses in 2019

Earl Enterprises

Exposed Records: Unknown

Reported April 2019

Parent company of popular eateries and stores such as Buca Di Beppo, Mixology, and Planet Hollywood, Earl Enterprises suffered a breach that left customer payment information exposed from May 2018 to March 2019.

“Based on the investigation, it appears that unauthorized individuals installed malicious software on some point-of-sale systems at a certain number of Earl Enterprises’ restaurants,” the Earl Enterprise statement reads.

Forever 21

Exposed Records: Unknown

Reported January 2018

Popular fast-fashion retailer, Forever 21, was breached for at least 7 months in 2017, a hack that was reported in January of 2018. Compromised POS devices gave hackers access to customers’ payment cards after Hackers obtained network access and installed malware that could harvest payment card data.