Franchises from at least three national pizza chains hacked (update2)

Scott Thomas Anderson reports:

The rampant hacking of credit cards and ATM accounts that has hit Amador County is partly the result of “malicious software” installed at a Martell business, according to investigators from Amador County Sheriff’s office. Worse yet, six months of online victimization may not be over for some locals, particularly for those who entered Mountain Mike’s Pizza last winter without cash in their hands.

Sheriff’s officials updated reporters yesterday afternoon about a lengthy investigation into more than 70 cases of ATM/credit card fraud inundating its investigations bureau. Additional cases have also been reported to the Jackson Police Department. Undersheriff Jim Wegner said his detectives had been working closely with fraud units from several banks affected by the string of crimes, which began at the end of 2010 and gained an almost overwhelming momentum by February of this year.

Read more on Ledger Dispatch.

So far, only that one Mountain Mike’s Pizza store in California has been identified as having been breached from that chain, but other national chains have not been so fortunate, it seems.

In March, Extreme Pizza  disclosed that the point of sale (POS) systems at a number of its west coast franchises had been compromised beginning in August 2010.  Customers’ credit  and debit card numbers were reportedly misused between then and January 2011. In an FAQ on its site, the chain said it was first made aware of the breach on February 28, 2011. Sixteen stores in California as well as stores in Colorado and Oregon were affected.

Both the Extreme Pizza and Mountain Mike’s Pizza breaches were on the west coast, where a third national pizza chain, zpizza, is also headquartered. zpizza provided DataBreaches.net with the following statement:

Zpizza was affected by malware on our point of sales system used to process credit and debit card transactions at 12 of our locations. These incidents did not involve an internal security issue within zpizza, and based on investigation, we have sufficient reasons to believe that zpizza is one of many small businesses across the nation that was affected by a computer hacker. Additional details about the issue is on store websites.

Zpizza is working with the Secret Service to address and resolve this issue as quickly as possible. Additionally, we have hired an outside consultant to ensure that our point of sale systems are secure and protected from anyfurther intrusion.

[…]

The notice posted on individual stores’ web sites in mid-May read:

An Important Notice to our Customers

This notice pertains to any customer who used a credit card or debit card at the (LOCATION) zpizza location from September 2010 through and including January 2011. In advance, zpizza apologizes for any inconvenience that you may experience from the circumstances described below.

Zpizza recently discovered that an unauthorized person wrongfully accessed certain point of sale systems that zpizza uses to process credit and debit card transactions. Based upon its investigation to date, zpizza reasonably believes that a computer hacker improperly acquired credit and debit card information. This incident did not involve an internal security issue within zpizza. In fact, zpizza has learned that it is one of many small businesses across the nation that has been affected by this computer hacker.

Zpizza has moved swiftly to address this unfortunate incident and is working with the Secret Service to investigate it. zpizza is also working with an outside consultant to ensure that its point of sale systems are secure and protected from any further intrusion.

If you have used your credit card or debit card at this zpizza location from September 2010 through and including January 2011, please consider taking the following immediate steps in order to prevent the unauthorized and unlawful use of your personal information:

[…]

Some of the locations of affected zpizza stores include California, Montana, and Virginia.

Elsewhere, a breach involving a national pizza chain was also rumored to be the source of card fraud reports in the Ohio area, but whether that will pan out (no pun intended)  and whether it’s yet another national pizza chain remains to be seen.

Firefly POS Implicated?

At least a few people involved with the situation have been pointing fingers at the Firefly POS software. Over on PMQ.com, a forum for the pizza industry, one owner wrote:

We had a breach of our credit card system. Talked to the bank fraud unit, the local authorities and forensic audit companies. The indication is that the majority of credit card breaches have been with the Firefly/Granbury system from what the people we contacted have said.

Other sources with knowledge of the situation also allege that the breached units of  Extreme Pizza and zpizza were all, or almost all, using Firefly. A spokesperson for zpizza confirmed to DataBreaches.net that their breached units were using Firefly.

Whether the Firefly allegations are also correct for Extreme Pizza and other pizza stores could not be confirmed at the time of this posting. Granbury was contacted several times over the past two weeks and asked to respond to the allegations but did not provide answers to questions posed or any statement specifically addressing a number of allegations that have been made.

Charles Hoff, an attorney who has been involved in a number of high-profile cases where restaurants have sued POS vendors and/or their installers replied “No comment” when asked whether he has been asked to file any lawsuits against Firefly, its parent company, Granbury, or any of their authorized installers.

Deja Vu All Over Again?

The breach description for Mountain Mike’s Pizza sounds somewhat like a number of restaurant breaches in 2008 that occurred when login credentials to remote access to the desktop were left in a default state and were exploited by hackers.   At least one commenter on PMQ.com indicates that his system was breached by a remote-access account that had been enabled to allow support.

As of 2006, Visa had issued warnings  about the risks of  enabling remote access software – warnings that it has repeated numerous times since.   Despite Visa’s repeated warnings, remote access compromise accounted for 41% of attacks in the merchant category during the period January 2009 – June 2010. As recently as April 19, Visa issued an alert, “Remote Access Vulnerabilities—Most Frequent Attack Method Used by Intruders,” and asked acquirers and processors to share the alert with merchants as soon as possible.  But despite repeated warnings, either Level 4 merchants have not gotten the message or they have not understood how to ensure they comply with industry standards on firewalls and the need to change default configurations.

Ultimately, of course, it is the stores that are responsible for the security of customers’ credit card and debit card data, and it is the stores that suffer if customers stop using cards or stop frequenting a store if they’ve suffered fraud as a result of transactions with a merchant.  But are the processors, acquirers, vendors, and installers doing enough to help the merchants who pay large fees to get a system that they believe is compliant?  It doesn’t seem so if four years later, we are still talking about a lot of POS hacks in the restaurant sector.

In the meantime, if these breaches occurred in August and September of 2010 and there was a rash of fraud, how many other national pizza chains were also affected that we haven’t yet found out about in the media?  Hopefully, some of the mainstream journalists will start digging into this a bit more.

Update:  The Amador County Sheriff’s Office issued a media release about the Mountain Mike’s Pizza breach.

Update of Aug. 5:  On July 27, DataBreaches.net received the following e-mail from the Chief Operating Officer of Granbury Technologies:

we recently saw a posting from Scott Thomas Anderson which says Granbury denied any comments

this is NOT true – we have given statements to anyone who has asked (and we have talked to many)

there are some very untrue and misleading information in this posting and we would like a retraction posted immediately

I would certainly entertain a discussion with Scott or whoever is responsible for postings

I expect a prompt response and please note that our legal counsel has been made aware of this and is awaiting your response

respectfully,

mark

I responded to them to point out that Scott Thomas Anderson was not the source of the comments they objected to and to remind them that I had contacted Granbury a few times to ask them specific questions and to request to interview them but they did not get back to DataBreaches.net at any time during a two-week period before that entry was published – even after they had indicated that they might.

Mr. Rosenberg replied, complaining that I should have included comments he had made to me in response to one of the e-mails requesting an interview. His comments in one email were:

There are many misconceptions of what is really going on and how to protect and who they should go to get protection, and certainly the small business owner doesn’t have a clue. I believe that the issuing banks and especially the processors are not doing enough (except covering their butts and blaming others). And the government seems to take the sideline on this which is costing the economy billions.

We’ve been working directly with Secret Service, Dept. of Justice, Visa, M/C, Amex and some receptive processors (as most are not receptive rather they are slanderous and disparaging and false communication)

Those comments were omitted from the original blog entry because even though I agree with them, they were nonresponsive to the questions I had put to them about why there were so many reports and allegations of hacks involving Firefly.

On July 27, DataBreaches.net offered Granbury yet another opportunity to provide their perspective on, or explanation of, the reported breaches and allegations:

If others have made statements that were cited in that piece that you feel are untrue, I will be happy to give you yet another opportunity to give your perspective and clarify any points at a mutually convenient time, and would consider writing a follow-up to that piece.

Granbury did not respond to that offer.

If a report is inaccurate, I want to know so I can issue a correction.  To date, however, Granbury has provided no facts or substantive responses.  The original blog entry stated:

Whether the Firefly allegations are also correct for Extreme Pizza and other pizza stores could not be confirmed at the time of this posting. Granbury was contacted several times over the past two weeks and asked to respond to the allegations but did not provide answers to questions posed or any statement specifically addressing a number of allegations that have been made.

That statement was accurate at the time of posting and it is still accurate.

Carousel image credit: © Teka77 | Dreamstime.com

About the author: Dissent