Add Chick-fil-A to the always-growing list of businesses whose customers' credit and debit card numbers have apparently been stolen by malware-planting hackers in a security breach.
Security researcher Brian Krebs initially heard from unnamed “Sources at several U.S. financial institutions” that a recent spate of fraudulent charges all had one thing in common: the compromised cards had been used for payment at various Chick-fil-A locations around the country. Spokespeople for Chick-fil-A said they've received and are investigating similar reports.
So far, details remain scanty. Krebs' financial-industry sources first started noticing fraudulent charges possibly connected to CFA early in November, though Krebs called those initial reports “spotty at best.”
Common point of purchase
Remember that, from the perspective of both the card-issuing financial institutions and the possibly hacked companies like Chick-fil-A who accept credit cards as payment, it can be very difficult to even discover that a security breach happened, let alone when and where.
When card companies start collecting unusually high numbers of fraudulent-charge complaints from their cardholders, or when lists of stolen numbers and other account information are made available for sale on illegal black-market websites, usually the only way to find out where those numbers were stolen from is by looking through the payment histories of all such accounts for what's known as a “common point of purchase,” or CPP.
That's more difficult than it sounds, especially when it's so very easy to find false positives. For example, suppose those first few fraudulent charge complaints came from customers who, in addition to Chick-fil-A, had also all used their cards at a Walmart fairly recently and used their credit cards to pay a state car-registration bill in 2014 — which of those similarities is the real common point of purchase? Plus, the banks probably don't even know how far back they must look to find the CPP: did the breach happen in the last week? The last month? Last year? Longer than that?
So in early November, when the banks (and security researchers) first started noticing spotty reports of accounts which might have been breached at a Chick-fil-A somewhere, they had insufficient evidence to go public with any warning. But that changed just before Christmas, said Krebs, when new information came to light:
…. one of the major credit card associations issued an alert to several financial institutions about a breach at an unnamed retailer that lasted between Dec. 2, 2013 and Sept. 30, 2014.
One financial institution that received that alert said the bank had nearly 9,000 customer cards listed in that alert, and that the only common point-of-purchase were Chick-fil-A locations.
“It’s crazy because 9,000 customer cards is more than the total number of cards we had impacted in the Target breach,” the banking source said, speaking on condition of anonymity.
Krebs' source also said that, while potentially compromised Chick-fil-A branches can be found all over the country, the bulk of the breach seems to have happened at Chick-fil-A branches in Georgia, Maryland, Pennsylvania, Texas and Virginia.
Chick-fil-A issued a statement saying:
“Chick-fil-A recently received reports of potential unusual activity involving payment cards used at a few of our restaurants. We take our obligation to protect customer information seriously, and we are working with leading IT security firms, law enforcement and our payment industry contacts to determine all of the facts.”
“We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so. If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts — any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card. If our customers are impacted, we will arrange for free identity protection services, including credit monitoring.”
In the meantime, it's always a good idea to monitor your own account activity, whether you've eaten at a Chick-fil-A this past year or not.