Compromise extended over a period of two months

Apr 24, 2015 16:01 GMT  ·  By

For a period of three months, customers paying with their cards at a Bistro Burger location in San Francisco, may have had their financial data pilfered as hackers compromised the restaurant’s cash register.

Back in March, a similar incident affected the chain, at the 201 Mission St. location. It was determined that the breach period extended over two months in 2014.

Card data has been exposed

This time around, it appears that only the timeframe of the incident and the restaurant has changed, as Market Street Bistro Burger has been hit and the duration of the breach span from January 4, 2015, through March 13.

As far as the data that could be exposed, it includes names, payment card account number, expiration date and its security code (CVV - card verification value). This information is sufficient for someone to go shopping online.

Just like in the previous case, the restaurant is not aware of clients having incurred fraudulent charges as a result of the incident.

Cybercriminals prey on weak security

“We sincerely regret any frustration or concern this incident may cause. We have taken steps to help prevent this type of incident from recurring at our restaurant. We contained the incident by replacing the computer server that was targeted by the malicious software and replacing the firewall protection for our servers,” reads the data breach announcement.

However, this type of assurances tend to lose their effect if issued too often. The company did not provide information about the circumstances of the incident, but as security researchers often find in their investigations, improper security of the payment processing machines along with insecure practices of the PoS vendor lead to getting the cash registers infected.

At the RSA security conference in San Francisco this week researchers from Trustwave and Bishop Fox held a presentation on the security state of PoS terminals and back of the house servers delivering the payment information for purchase authorization.

In one case, the PoS vendor distributed products that had the same password since 1990, and customers did not change it. In another, the payment processing machines were used for playing games, as the keylogging module of the malware infecting it showed.