Threat actors have accessed customer payment card data at four restaurant chains over the summer after compromising the payment systems with malware. On October 2nd, 2019, McAlister’s Deli, Moe’s Southwest Grill, Schlotzsky’s and Hy-Vee disclosed in public statements that their networks were infected with point-of-sale (POS) malware that copied data from cards used at certain locations. McAlister’s, Moe’s and Schlotzsky’s have around 1,500 locations collectively across the U.S. and are owned by the same parent company, Focus Brands. Hy-Vee, which has over 245 locations, operates in the retail (fuel pumps, grocery, convivence, drug store) business and is employee-owned. The three Focus Brand companies released details about the incident that affected corporate and franchised restaurants. The malware was stopped on July 22, 2019. Breaches at Moe’S and McAlister’s started on April 29th while Schlotzsky’s started on April 11th. Hy-Vee stated that fuel pumps were affected since December of 2018 and drive-thru coffee shops since January of this year. It is unsure yet as to how many customers were affected. The data that was stolen included the customers’ card number, expiration date, internal verification code, and the cardholders’ name. Depending on the brand, country of origin and amount of details the card comes with, they can potentially be sold for $35 a card on the darknet. Criminal actors can purchase the card data, encode it onto the magnetic strips of fraudulent cards, and then attempt to use those cards to make fraudulent purchases.
With all the news around COVID-19/Coronavirus, the average person is turning to the internet for