Restaurant Breach Leads to FraudHundreds of Accounts Impacted; Third-Party Hack Suspected
According to authorities with the Huntsville, Texas, Police Department, some 200 people have reported fraudulent debit and credit transactions hitting their accounts after dining at Margarita's Mexican Restaurant. The Huntsville establishment is located on Interstate 45 between Houston and Dallas.
Hunstville Lt. Curt Landrum says investigators believe Margarita's point-of-sale system was infected with a virus after a third-party vendor's network was hacked. "It does not appear to be a skimming incident," Landrum says. "This was happening through the computers at Margarita's, and it looks like someone got in to the third-party vendor that handles the credit card information. They did not directly get into Margarita's system."
Investigators do not believe any of the restaurant's employees are involved. Huntsville PD and the Walker County, Texas, Sheriff's Department are reviewing the fraud incidents with the Secret Service. Landrum says police believe the card numbers were intercepted sometime between early April and mid-May. Customers began reporting fraudulent transactions in July.
Restaurants Targeted by FraudstersJohn Buzzard of FICO's Card Alert Service says, "Restaurants have always generated their share of compromises, and most of them in past years were low-level manual skim operations."
"This is definitely a data breach, not a POS skimming event," says Jerry Silva, founder and financial-services technology strategist for PG Silva Consulting. "Data breaches, in general, are becoming more commonplace. The fact that it's a restaurant is a vulnerability," since restaurants are increasingly targeted by fraudsters who have identified weaknesses in their IT security measures.
Card fraud at restaurants, especially fast-casual diners and pizzerias, has been escalating in recent months. One theory suggests these establishments are vulnerable because of commonalities shared among restaurant POS software.
But when third parties, such as processors or transactions acquirers, are breached, as may be the case in the Margarita's incident, the software theory flies out the window, Silva says. In the end, compliance with the Payment Card Industry Data Security Standard is the best way to prevent cardholder compromises. The problem, however, is that many merchants and processors remain out of compliance.
"Sometimes, if you are a merchant acquirer and are showing a good faith effort to get PCI compliant, a lot of times the auditors will let it go," Silva says. "If they are making good progress, then the auditors sometimes will be lenient. Compliance does not always mean compliant."
If Margarita's or the transaction acquirer was not PCI compliant, then card data could have been transmitted in the clear, unencrypted. "It's almost like we need a different model, like federated security," Silva says. "The process we have in place is not working. And I don't think EMV [Europay, MasterCard, Visa standard] will solve it. I think EMV does solve some of the issues, but not all."
Notice After a BreachFor Neal O'Farrell, founder of the Identity Theft Council, a grassroots network that provides support for victims of identity theft, the greater concern is the steps restaurants are taking to notify patrons after a breach. [See Battling 'Breach Fatigue'.]
"Skimming at restaurants is almost impossible to prevent," O'Farrell says. "Most restaurants are small businesses and typically don't have the resources to focus as much as they should on security."
Restaurants also are public, offering few ways to control who comes in and out. O'Farrell also notes restaurants' high turnover rates, and their relatively lax hiring practices. "They are notorious for high staff turnover and for not conducting criminal background checks, which makes them exceptionally vulnerable to insiders," he says. "And without effective security, they're usually the last to know about a breach. Most restaurants find out they've been breached only after complaints by their customers or notifications from their card processors."
Those security gaps make notification challenging, O'Farrell says, and the Margarita's case is no exception. "Small businesses are often as much a victim of the breach as their customers are," O'Farrell says. He points out that Visa estimates 95 percent of credit card data breaches involve small businesses.
"I think in this case, law enforcement took a very pragmatic approach to going public with the breach, balancing the needs of victims with the need to protect the reputation of the restaurant, which was also the victim," he says. "That's always a good way to handle breach notifications like this. It's like I've always said, how you communicate to victims and customers after a breach can often shape the long-term impact of the breach."