14 DAY TRIAL // Hackers compromised the payment processing systems at a Bistro Burger location in San Francisco and may have exfiltrated card information for a period of two months before the breach was contained.
Between October 2 and December 4, 2014, malware lurked on the computer systems used for handling card transactions.
The incident was made known to customers through different media outlets on Monday, but it is not clear why the owners of the business took this long to report it.
Customers advised to monitor bank accounts for suspicious activity
The information that may have been exposed includes name, payment card account number, card expiration date and security code, which is typically the last three digits printed on the back of the card (CVV).
At the moment, there is no indication that the data has been used maliciously, but this possibility should not be excluded.
To reduce the risk of credit fraud, clients are advised to review the bank account statements for irregularities. Should suspicious transactions be noticed, they are recommended to alert the card issuing bank without delay.
Action has been taken to mitigate further risk
Part of the efforts taken to contain the breach included replacing the hard drives on the machines affected by the malicious software and reconfiguration of the point-of-sale (PoS) systems. Additionally, firewall protection has been added to the computers.
Bistro Burger does not offer complimentary identity protection services to the affected customers; as per California law, such an offer is not obligatory. There are no details about the number of customers that may be impacted by the breach, or if they are to receive individual notifications.
Recently, the PoS systems of the Zoup chain of restaurants have been impacted by cybercriminal activity, but investigation into the matter revealed that the compromise occurred at the restaurant’s PoS provider, NEXTEP Systems.
It is possible that other customers of NEXTEP are also affected, although the company has yet to determine the full extent of the breach.