Dickey's Barbecue Pit, a restaurant franchise with 156 locations across 30 states, was hit by a malware-based, point-of-sale data breach. The details of the breach surfaced after Gemini Advisory, a cybersecurity firm, found the stolen cards on a Joker’s Stash, a hacker’s forum for stolen payment data. The data was traced back to the compromised point of purchase (CPP) — Dickey’s Barbecue Pit.
It's believed payment systems were compromised by card-stealing malware, with the highest exposure believed to be in California and Arizona. It’s believed the transactions were made with magstripe cards, and the breach could have occurred on a single central processor, according to Gemini. Reports indicate that since about mid-2019, credit card data from roughly 3 million payment cards were stolen. It's believed the +3 million credit cards stem from 35 states, spanning a time frame of over a year.
The hacker’s forum reportedly announced the a majority of the cards are still active and in good standing, which indicates that many financial institutions, along with potentially impacted cardholders, may be unaware of the impact. Financial institutions should be taking measures to proactively prevent any future fraudulent activity on potentially impacted cards.
Gemini Advisory reports the payment transactions were made using magstripe cards, which could mean that some of the POS payments may not have been chip and pin compliant or the transactions was swiped instead of inserted. Dickey’s is a franchise, and unlike a chain, allows each individual location to choose their own point-of-sale payment processing device. It’s believed that the breach was linked to a single central processor that was used by over a quarter of all Dickey’s locations.