The data-breach Grinch is stealing Christmas from a big restaurant supplier and Lucky Supermarkets, a major West Coast grocery chain, both of whose payment card acceptance systems were compromised recently by fraudsters using different techniques.
The breach at Queens, N.Y.-based Restaurant Depot LLC, which also does business under the Jetro Cash & Carry brand, has links to Russia and probably compromised at least 200,000 credit and debit card accounts, company chief executive Stanley Fleishman tells Digital Transactions News. He says he doesn’t yet know the number of accounts actually hit with fraud or the total amount of losses. The compromised data include account numbers, expiration dates, verification codes, and, in the case of debit cards, some PINs.
“It’s been a nightmare,” Fleishman says. Restaurant Depot says it will reimburse customers for losses not covered by their card issuers, either through insurance or directly.
Meanwhile, card skimmers placed on point-of-sale terminals to harvest data from transactions in unattended checkout lanes in 24 Lucky stores in California apparently compromised hundreds of card accounts.
Both incidents remain under investigation. Restaurant Depot called in Chicago-based Trustwave Holdings Inc. to examine its payment and computer systems after learning on Nov. 9 that some of its customers had experienced fraud on their card accounts after making card purchases at Jetro/Restaurant Depot locations. The company has 79 stores throughout the country that sell food and supplies to restaurants.
The source of the fraud was malware placed on a server in New Jersey that links Restaurant Depot’s computer systems with its merchant-acquiring bank, PNC, according to Fleishman. The malware apparently stored card information for a short time and then transmitted it to a server in Russia, Restaurant Depot said in a notice to customers.
The malware harvested data from all but one of Restaurant Depot’s stores, one that just opened, Fleishman says. The fraudulent data gathering began Sept. 21 and didn’t end until Nov. 18.
Restaurant Depot was validated within the past year as compliant with the Payment Card Industry data-security standard (PCI), Fleishman says. Now the company is going to enhance its data-protection system, though Fleishman, after speaking with computer experts for more a month, isn’t sure how long it will keep the thieves at bay.
“We’re going to install a bigger mousetrap,” he says. “What [investigators] are telling me is when we’re installing a bigger mousetrap, the fraudsters are building a bigger mouse. It’s a game to them.”
Privately held Restaurant Depot does more than $1 billion in business annually and in addition to cards accepts cash and checks. Perhaps luckily, cash is its biggest payment form, according to Fleishman, though he wouldn’t divulge each payment form’s respective share.
Not so lucky are some Lucky customers who used self-checkout lanes at 24 stores in the San Francisco Bay area some time before Nov. 23. The company said one skimmer was placed in a targeted lane in each store. Data were transmitted out of the stores wirelessly. Fraudsters placed the skimmers on older VeriFone terminals, according to one press account. Since discovering the skimmers, Lucky parent company Save Mart Supermarkets has replaced or inspected 2,557 credit and debit card readers in all 233 of its stores in Northern California and Northern Nevada.
In its latest update on its Web site, Lucky said that based on customer reports to its call center, the breach so far has resulted in “fewer than 1,000 incidents of reported loss or attempted loss.” The San Jose Mercury News reported Monday that one victim was a non-profit, South Bay Blue Star Moms, that takes donations to send care packages and holiday goods to local homeless veterans and military members overseas. That group’s account lost $3,000 in seven transactions, the newspaper reported.
A Save Mart spokesperson told Digital Transactions News by e-mail that the company has been compliant with the PCI standards.
Gartner Inc. technology and security analyst Avivah Litan says the breaches show that magnetic-stripe cards are too vulnerable in the face of today’s increasingly sophisticated attacks, even if merchants meet the PCI rules.
“Until they change the payment system, it’s just going to keep happening,” Litan tells Digital Transactions News. The so-called EMV chip card, while not perfect, “is the global alternative, and it certainly has worked in other countries,” she adds.