This content is part of the Essential Guide: Understanding and responding to POS malware
News Stay informed about the latest enterprise technology news and product updates.

Report: Chick-Fil-A data breach affects locations nationwide

The popular fast-food chain has suffered what may be a massive, months-long payment card data breach that likely dates back as far as December 2013.

Popular fast-food chain Chick-Fil-A Inc. is investigating a payment card data breach affecting an unknown number of its U.S. locations, but early indications suggest many thousands of customer accounts may have been compromised.

First reported Tuesday evening by Krebs on Security, the Chick-Fil-A data breach may date back to December 2013.

Financial institutions told veteran security reporter Brian Krebs they first discovered a pattern of fraud in November, but a credit card association alert issued shortly before Christmas 2014 indicated the breach window may have stretched from Dec. 2, 2013, through Sept. 30, 2014.

While the credit card association declined to identify the retailer, a separate financial institution told Krebs that Chick-Fil-A was the only common point-of-purchase among the nearly 9,000 customer card accounts assigned to its customers and listed in the alert.

The financial firm also noted that 9,000 was higher than the number of compromised accounts that it experienced as a result of 2013's epic Target Corp. data breach, which involved the compromise of 40 million credit and debit cards, email addresses and telephone numbers of up to 70 million customers.

By comparison, Target's period of compromise lasted about three weeks and affected the majority of its 1,700 U.S. stores, suggesting that a Chick-Fil-A breach lasting 10 months and affecting an even smaller percentage of its 1,850 U.S. locations may be comparable in size and scale to the breaches at Target and Home Depot Inc.

In a statement to SearchSecurity, Chick-Fil-A said it recently received reports of what it called "potential unusual activity involving payment cards used at a few" of its restaurants.

"We take our obligation to protect customer information seriously, and we are working with leading IT security firms, law enforcement and our payment industry contacts to determine all of the facts," Chick-Fil-A said in the statement. "We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so.

"If the investigation reveals that a breach has occurred," the company added, "customers will not be liable for any fraudulent charges to their accounts. Any fraudulent charges will be the responsibility of either Chick-Fil-A or the bank that issued the card. If our customers are impacted, we will arrange for free identity protection services, including credit monitoring."

A source told Krebs that while the bulk of the fraud to date was tied to locations in Georgia, Maryland, Pennsylvania, Texas and Virginia, though Chick-Fil-A locations across the country have been affected.

The Chick-Fil-A data breach is the latest sign that restaurant chains represent an increasingly attractive target for attackers seeking to steal customer payment card data.

In October, International Dairy Queen Inc., operator of Dairy Queen and Orange Julius restaurants, confirmed that the infamous Backoff malware was behind the recent theft of payment card data at nearly 400 of its 4,500 U.S.-based locations.

A month earlier Illinois-based sandwich shop franchise Jimmy John's revealed that it had suffered a credit and debit card data breach at 216 of its locations.

Krebs noted that in both the Dairy Queen and Jimmy John's breaches, the affected locations had outsourced the management of their point-of-sale systems to third-party companies. Attackers were able to gain POS system access via the third parties and install point-of-sale malware to steal payment data.


Next Steps

Chester Wisniewski of Sophos details some of the threats point-of-sale environments are likely to face, and experts discuss general PoS security weaknesses.

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

The article makes a very good point in that these small point of purchase spots (food places that do lots of small transactions) have a lot of surface area to do damage. How many of us think next to nothing about swiping our cards at lunch? Though there isn't a Chick-Fil-A near me, I have a few places I frequent that would certainly provide a lot of damage to a lot of people if they were hit (makes the prepaid lunch cards a lot more appealing in this circumstance).
With all the breaches lately, I'm glad I do not make small purchases wit a credit / debit card. I usually only use them for purchases over $100 anything less it's cash. I'd be curious as to how many people use them or their smartphones for payments under $10-20. To me the convenience is not worth the security risk
Hoping a good outcome follows for the security of their POS and investigation may take a while to sort through the magnetic stripe data
It's a learning process. I never use a debit card for this reason and I think the credit card breaches of the past - remember carbons from gas station purchases?? - are the POS hacks of today. It's small potatoes, but we're so connected that now we know of every incident. And all things being relative, the percent of $$ being stolen (or amount of data) is commensurate with the amount of money out there or the amount of data we now move on a daily basis. We're still going to see this stuff happen, and it will always be common in the spots that are fast-moving and low on the per-purchase $$ scale.