Fast-Food Chain Krystal Investigates Card 'Security Incident'More Than 200 Restaurants Affected Between July and September
Fast-food chain Krystal says it's investigating a payment card "security incident" that affected as many as 228 of its restaurants across southeastern U.S. states
The incident affected debit and credit cards used at certain stores between July and last month, the company says in a statement. Krystal says law enforcement has been notified, and it has retained a forensic firm.
“We have already taken steps to contain and remediate the incident,” the company says. “We are working hard to determine the specific locations and dates for each restaurant involved in the attack.”
Krystal, based in Dunwoody, Georgia, has 342 restaurants across Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, North Carolina, South Carolina and Tennessee. The company's list of the states where its restaurants were affected omitted only Louisiana.
“Our investigation is ongoing,” it says. “We are still determining specific locations and dates for each restaurant involved in the attack.”
Efforts to reach a Krystal spokesperson were not immediately successful. Krystal was acquired in 2012 by Argonne Capital Group, a private investment firm.
Card Processing System Hit
The incident revolved around one of Krystal’s payment card processing systems. Card processing systems are a critical hub for cybercriminals to strike, as security vulnerabilities could result in the harvesting of card details.
The hospitality industry also continues to battle point-of-sale malware, which infects payment card terminals. Cybercriminals can capitalize on vulnerabilities in an organization’s infrastructure, then try to move laterally to get access to payment processing systems.
POS malware - also known as scrapers - seeks to capture unencrypted card details while those are briefly held in a device’s RAM.
"Our investigation is ongoing. We are still determining specific locations and dates for each restaurant involved in the attack."
High-profile breaches such as Target and Home Depot, which were both struck by POS malware in 2013 and early 2014, spurred more awareness of payment card malware and a renewed emphasis on best practices.
In January, the retailer Neiman Marcus reached a $1.5 million settlement with 43 states over a 2013 breach that exposed 40 million cards. In that breach, card-scraping malware collected the data of 370,000 payment cards, of which at least 9,200 were used for fraud (see: Neiman Marcus Settles Lawsuit Over Payment Card Breach).
New Tools Emerge
Law enforcement has had some notable victories in identifying criminals responsible for payment card attacks, but incidents can be elusive and difficult to trace.
In August 2018, the U.S. Justice Department announced the arrests of three Ukrainian men who were allegedly part of a cybercriminal group dubbed FIN7, also known as Carbanak and Navigator. FIN7 frequently hits the hospitality industry and was believed to be behind payment card intrusions at Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli.
FIN7 has been blamed for targeting more 100 companies since 2015. Authorities believe the group was responsible for stealing 15 million card records from 6,500 POS terminals within 3,600 business locations.
Earlier this month, FireEye said FIN7 continued to be active and had developed new malicious tools. Those include Bootswrite, a “dropper,” which only runs in memory. Bootswrite’s job is signed with a legitimate digital signature and is designed to decrypt embedded payloads (see FIN7 Gang Returns With New Malicious Tools: Researchers).
FireEye also studied Rdfsniffer, a module loaded by Bootswrite. It's designed to interfere with the Aloha Command Center Client, an NCR remote monitoring tool for payment-related systems. Rdfsniffer can hijack the user interface and also conduct man-in-the-middle attacks, FireEye said.
Other cybersecurity firms also have noticed emerging new tools. For example, the threat intelligence firm Flashpoint and Cisco's Talos intelligence unit described two types of new POS malware, GlitchPOS and DMSniff, both of which are RAM scrapers (see: Fresh POS Malware Strikes Small and Midsize Companies).