Dickey’s Barbecue Restaurants suffered a POS data breach between July 2019 and August 2020. Card details for more than 3 million customers were posted on a carding and fraud marketplace known as Joker's Stash on October 12.
The discovery was made by Gemini Advisory, a cyber-security firm that tracks financial fraud, and detailed on its blog.
Gemini said the data appears to had been obtained after hackers compromised the in-store POS system used at the franchisees’ restaurants.
Gemini says hackers appear to have compromised 156 of Dickey's 469 locations, with the compromised restaurants located across 30 states; and with the highest exposure being in California and Arizona. The payment transactions were processed via the outdated magstripe method, which is prone to malware attacks.
"The vast majority of the payment card data for sale in the cybercrime underground is stolen from merchants who are still swiping chip-based cards," writes KrebsonSecurity.
On October 20, Dickey’s provided the following statement to KrebsonSecurity:
“We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved. We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”