Over 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains

On Nov. 23, one of the cybercrime underground’s largest bazaars for buying and selling stolen payment card data announced the immediate availability of some four million freshly-hacked debit and credit cards. This latest batch of cards was siphoned from four different compromised restaurant chains that are most prevalent across the midwest and the eastern United States.

The four million cards were taken in breaches recently disclosed by restaurant chains Krystal, Moe’s, McAlister’s Deli and Schlotzsky’s. Krystal announced a card breach last month. The other three restaurants are all part of the same parent company and disclosed breaches in August 2019.

“Gemini [a New York-based fraud intelligence company] found that the four breached restaurants…were Krystal, Moe’s, McAlister’s and Schlotzsky’s,”  Gemini wrote in an analysis of the New World Order batch. “Of the 1,750+ locations belonging to these restaurants, nearly 50% were breached and had customer payment card data exposed. These breached locations were concentrated in the central and eastern United States, with the highest exposure in Florida, Georgia, South Carolina, North Carolina, and Alabama.”

McAlister’s (green), Schlotzsky’s (blue), Moe’s (gray), and Krystal (orange) locations across the United States. Image: Gemini Advisory.

Focus Brands (which owns Moe’s, McAlister’s, and Schlotzsky’s) was breached between April and July 2019 and publicly disclosed this on August 23. Krystal claims to have been breached between July and September 2019 and disclosed this in late October.

Joker’s Stash

The stolen cards went up for sale at the infamous Joker’s Stash carding bazaar. The most recent big breach marketed on Joker’s Stash was dubbed “Solar Energy,” and included more than five million cards. These cards were stolen from restaurants, fuel pumps, and drive-through coffee shops operated by Hy-Vee, a supermarket chain based in Iowa.

According to Gemini, Joker’s Stash likely delayed the debut of the New World Order cards to keep from flooding the market with too much stolen card data all at once. This can have the effect of lowering prices for stolen cards across the board.

“Joker’s Stash first announced their breach on November 11, 2019, and published the data on November 22,” Gemini found. “This delay between breaches occurring as early as July and data being offered in the dark web in November appears to be an effort to avoid oversaturating the dark web market with an excess of stolen payment records.”

Most card breaches at restaurants and other brick-and-mortar stores occur when cybercriminals manage to remotely install malicious software on the retailer’s card-processing systems. This is often done by compromising third-party firms that help manage these systems. This type of point-of-sale malware is capable of copying data stored on a card’s magnetic stripe when those cards are swiped at compromised payment terminals. That data can then be used to create counterfeit copies of the cards.

Chip-Based Cards

The United States is the last of the G20 nations to make the shift to more secure chip-based cards. These cards are far more expensive and difficult for criminals to counterfeit. However, many merchants have not yet shifted to using chip-based card readers and still swipe their customers’ cards.

According to stats released in September by Visa, 80% of U.S. storefronts now accept chip cards. Visa says for merchants who have completed the chip upgrade, counterfeit fraud dollars dropped 87% in March 2019 compared to September 2015. This may help explain why card thieves increasingly are shifting their attention to compromising e-commerce merchants. This trend has been seen in virtually every country that has already made the transition to chip-based cards.

Payment Card Industry Security Standards

Companies that accept, store, process and transmit credit and debit card payments are required to implement Payment Card Industry (PCI) security standards. However, not all entities are required to prove that they have met them. While the PCI standards are widely considered a baseline for merchants that accept payment cards, many security experts advise companies to put in place protections that go well beyond these standards.

Even so, the 2019 Payment Security Report from Verizon indicates the number of companies that maintain full compliance with PCI standards decreased for the second year in a row to just 36.7% worldwide.

The organized cyberthieves involved in stealing card data from main street merchants have gradually moved down the food chain to smaller and probably less secure merchants. Either by choice or because the larger stores became a harder target.

Has Your Card Been Breached?

It’s really not worth worrying about where your card number may have been breached. It’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.

Remember, while consumers are not liable for fraudulent charges, it does fall to the consumer to spot and report suspicious charges. Keep a close eye on your statements, and consider signing up for text message notifications of new charges. Most of these services can also alert you for an upcoming payment and be handy in avoiding late fees and other charges.

Looking for additional credit card tips?

With the holidays approaching, view online shopping tips here.

Krebs, Brian. (2019, November 26). Sale of 4 Million Stolen Cards Tied to Breaches at 4 Restaurant Chains. Krebs on Security.