Compromise lasted for almost three months

Jun 6, 2015 08:21 GMT  ·  By

Eataly discovered that the system processing payments at its NYC Retail Marketplace location was compromised since the mid-January and an unknown actor had access to customers’ payment card information for almost three months.

The retailer says that there is no indication that point-of-sale systems from other locations, either at grocery stores or restaurants, were compromised.

Payment info not stored on the system

The time interval for the breach determined by the forensic investigation is January 16 through April 2, and it is believed that card data from any customer making a purchase at the affected location between these dates was captured by cybercriminals.

According to a notification from the retailer, the information exposed includes names, payment card account numbers, expiration dates and the card verification value (CVV) code. This is sufficient for crooks to make transactions online in the name of the victim.

The company says that it does not store payment information from its customers, a measure that should lower security risks. However, when processed, the data becomes available in the memory of the system and malware can read it from there.

“We believe that the malware used by the attackers was designed to intercept our customers’ payment card transaction data in real time as their payment cards were being processed through the point-of-sale environment in use at the Eataly NYC Retail Marketplace,” the retailer adds.

Payment systems restored, measure taken to increase security

At the moment, the threat is no longer present on the payment processing system and card transactions should be possible without risk. To increase the security of card payments, the company plans to introduce encrypted swiping machines and implement a solution for better system monitoring.

Impacted customers will not be contacted by Eataly because the retailer does not collect and maintain any contact data. Anyone making a purchase at the affected location during the breach interval is advised to check their bank account statements for suspicious transactions.

Eataly offers one year of free services to protect impacted customers against fraud and identity theft. This requires activation, which can be done no later than April 22, 2016.