Huddle House payment card breach could potentially impact 300,000 customers – researchers

Georgia-based Huddle House opened in Decatur, Georgia, in 1964.  Over the years, they have cultivated their brand as the kind of place where customers can get a good meal any time of the day, with their breakfast menu having become a big favorite. Huddle House currently has more than 350 franchises across the country.

Last Friday, the firm issued a press release disclosing that some of their franchisee-operated restaurants had experienced a payment card breach.  According to their statement,

Criminals compromised a third-party point of sale (POS) vendor’s data system and utilized the vendor’s assistance tools to gain remote access—and the ability to deploy malware—to some Huddle House corporate and franchisee POS systems.

Huddle House did not reveal the name of the vendor nor the type of malware. They did disclose, however, that they only became aware of the incident when they were contacted by a law enforcement agency and Huddle House’s credit card processor.

As of last week,  the chain did not know how many locations may have been impacted or how many customers may have had their card data compromised, but based on their investigation to date, they advised that if customers had used a payment card at any Huddle House locations on or after August 1, 2017, the card information might be at risk.

In an exclusive interview with DataBreaches.net,  Stas Alforov, Director of Research and Development at  Gemini Advisory, revealed that it was Gemini Advisory who had alerted law enforcement after they independently confirmed the Huddle House breach through the identification of Huddle House data for sale on one of the largest currently active dark web marketplaces. This marketplace is associated with the sale of millions of compromised payment cards in 2018.

“Through an in-depth analysis of the compromised payment card data, Gemini has identified that various Huddle House locations have been breached in Alabama, Georgia, Mississippi, New Jersey, and Virginia with an exposure of at least 9,000 payment cards. Additional analysis indicated that this breach has potentially expanded to Huddle House locations in 21 US states with an exposure of nearly 300,000 payment card records,” Alforov told DataBreaches.net. That number could be even higher, he acknowledged,  if additional databases were put up for sale on other shops or sites.

Huddle House locations (marked in orange) with compromised payment cards potentially associated with the Huddle House breach (marked in blue). Source:  Gemini Advisory, used with permission.

Gemini Advisory turned over all of its findings to US federal law enforcement for further analysis. Law enforcement, in turn, promptly alerted Huddle House.

Of note, Alforov tells DataBreaches.net that they also found cards from what appears to be an unrelated chain of restaurants. DataBreaches.net is not naming that chain at this time, although Gemini Advisory has already reached out to its CEO.

Databreaches.net has reached out to Huddle House for a response to the researchers’ findings and will update this post if a response is received. Huddle House’s initial notification appears below.

Huddle House - Any Meal. Any Time. Breakfast, Lunch, Dinner.

About the author: Dissent