Wholesaler Breach Affects 200,000Card Details Stolen from Stored Mag-Stripe Data
Forensic investigators hired by the wholesaler determined hackers were able to obtain magnetic stripe card credentials via the Internet by accessing Restaurant Depot's network, the company reports. The information compromised was from credit and debit cards used at its wholesale outlets from Sept. 21 though Nov. 18.
Restaurant Depot, based in Queens, New York, has 89 locations throughout the U.S.
A breach notification letter was mailed out Nov. 25 to more than 200,000 affected customers, detailing the compromised information that was taken, including names of cardholders, credit or debit card numbers, card expiration dates and verification codes.
Fleishman says he does not know the exact number of fraud cases that have resulted thus far from the breach. "[Customers] would report it to the banks," he says. "We have no idea."
Restaurant Depot, in its letter to customers, said it would reimburse them for any costs they reasonably incurred as a result of the breach. For example, if customers are required to pay any fraudulent charges on their credit or debit cards, or if a bank charges a fee for replacing the compromised cards, the wholesaler will cover the cost.
Customers are also being offered a free one-year membership to an ID Experts service, which offers credit monitoring and up-to-date information on new identity theft scams, tips for protection and legislative updates.
In it's letter, Restaurant Depot also notes:
- Customers should contact officials at card issuers immediately, asking them to cancel or reissue the compromised cards;
- Statements should be closely reviewed for any credit or debit card used at one of the company's U.S. stores between Sept. 21 and Nov. 18; and
- Customers should not provide information to anyone who calls or e-mails asking for confidential information.
On Nov. 9, the company learned that some customers had experienced credit card fraud after they used cards at Restaurant Depot and Jetro Cash & Carry stores. The company then hired Trustwave, a computer forensics firm, to investigate the incident.
"We have a team of forensics experts that are making sure they understand the nature of the breach and are designing a better and improved mouse trap to catch the next mouse," Fleishman says.
Restaurant Depot notified all major card brands and provided information regarding potentially compromised accounts. The card brands then notified card-issuing financial institutions, which can take steps to protect cardholders through enhanced fraud monitoring or by reissuing cards, the letter explained.
Most of the 89 locations throughout the U.S. were affected by the breach, Fleishman says, but he did not give an exact number.