The
pizza is one of the more iconic foods in this culture. Consumers have positive
thoughts with regard to indulging in the meal. What is not welcomed is the
occasional issue with the credit card system. This unfortunately occurred with
the Ci Ci’s recent breach. There were over 130 locations affected (Bisson,
2016; Pleasant, 2016; Kan, 2016; Copeland, 2016). Specifically there were
problems noted with the POS system at these locations. The investigation
started in March 2016 (Northrup, 2016). The noise regarding this issue was from
several locations (Bisson, 2016) and curiously enough six financial
institutions (NAFCU, 2016; Dissent, 2016).
The
locations had found the POS systems appeared to be malfunctioning. This acted
as the respective site’s red flag that something was not quite right. From the
financial intermediary sources, they noticed the increase in fraud in their
selected client accounts (NAFCU, 2016). As the numbers of feared cases began to
increase, the affected parties researched the issue and contacted Ci Ci’s. The
issue revolved around malware that had been placed on the affected systems. A
third party was contracted to review the sites and remediated the issues. The
sites affected were widespread. These were located in Alabama, Arkansas, Florida,
Georgia, Kentucky, Louisiana, Maryland, Missouri, Mississippi, North Carolina,
Ohio, Oklahoma, South Carolina, Tennessee, Virginia, and Wisconsin (Northrup,
2016).
This is
not a new phenomenon. Other recent targets of this nefarious activity were
Wendy’s, Dairy Queen, Buffalo Wild Wings, Taco Time, and Wingstop. These all
together also were across different sized restaurants (national chains and
local) and type of food.
Attack
This
was noted as a problem in early March 2016 when the POS systems were not
working well (Krebs, 2016). After it became readily apparent that there was an
issue, more of an investigation ensued. There was indeed a breach of the POS
system (Secureworld, 2016). The remainder of the sites was analyzed for the
presence of malware by 403 Labs (Krebs, 2016). The vendor determined the breach
was initiated in 2015 and the malware was active through the discovery date.
To gain
unauthorized access, a group posed as technical support for Ci Ci’s POS
provider, Datapoint (Able, 2016; Guard, 2016). After using the usual social
engineering tactics, the attackers gained access and downloaded the malware
(Krebs, 2016). Once the malware was on the system, the program was able to
capture the credit card data per consumer. This data for the victim’s credit
cards was then bundled together and sold to others. The purchasers would then
place the data on credit card blanks, embossed these with the correct consumer
information, and these were used to purchase higher end products.
Summary
There
continues to be one focus of attack-the user. This continues to be a weak link.
The attackers could have taken an abundance of time to perform a full hack of
the system (enumeration, google hack, review potential system vulnerabilities,
etc.). This may have taken much more time that what was necessary with this
simple social engineering attack against a handful number of employees with
access the attackers needed. The tactic to best defend against an attack much
like this is simply training, more training, and a healthy dose of
thoughtfulness.
References
Abel, R. (2016,
June 9). Update: Possible POS breach at cici’s pizza. Retrieved from http://www.scmagazine.com/cicis-pizza-may-have-experienced-pos-breach-through-third-party/article/501245/
Bisson, D. (2016,
July 20). Cici’s pizza suffers payment card breach at 130+ locations. Retrieved
form http://www.tripwire.com/state-of-security/latest-security-news/cicis-pizza-suffers-payment-card-breach-at-130-locations/
Copeland, M.
(2016, July 22). Credit card security breached at local cici’s restaurants.
Retrieved from http://www.wacotrib.com/news/business/credit-card-security-breached-at-local-cicis-restaurants/article_c5729531-b48e-5c60-9c56-4db2c58a6575.html
Dissent. (2016,
June 4). Banks: Credit card breach at cici’s pizza. Retrieved from https://www.databreaches.net/banks-credit-card-breach-at-Cici-s-pizza/
Guard, B. (2016,
June). Suspected data breach at cicis pizza exposes customer payment cards.
Retrieved from http://blog.billguard.com/2016/06/apparent-data-breach-cicis-pizza-exposes-customer-payment-cards/
Kan, M. (2016,
July 20). Hackers have targeted 130 restaurants at cicis pizza chain. Retrieved
from http://www.pcworld.com/article/3098167/hackers-have-targeted-130-restaurants-at-cicis-pizza-chain.html
Kreb, B. (2016,
July 19). Cici’s pizza: Card breach at 130+ locations. Retrieved from https://krebsonsecurity.com/2016/07/cicis-pizza-card-breach-at-130-locations/
NAFCU. (2016).
Cici’s pizza hit by data breach. Retrieved from https://www.nafcu.org/News/2016_News/June/Krebs_Cici_s_Pizza_hit_by_data_breach/
Northrup, L.
(2016, July 20). Eat at cici’s pizza in the last year? Watch your credit card statements.
Retrieved from https://consumerist.com/2016/07/20/eat-at-cicis-pizza-in-the-last-year-watch-your=credit-card-statements
Pleasant, R.
(2016, July 20). Cici’s pizza data breach serves a slice of credit card theft.
Retrieved from http://siliconangle.com/blog/2016/07/20/cicis-pizza-serves-a-slice-of-credit-card-theft/
Secureworld.
(2016, July 21). Cici’s pizza suffers data breach: 17 states affected.
Retrieved from http://www.secureworld.expo.com/cicis-pizza-suffers-data-breach-17-states-affected-0?utm_source=Copy+of+SW+Post+July+21%2C+2016&utm_compaign=SW+Post#3a+July+7%2C+2016&medium=em
