Cicis Pizza has officially confirmed a data breach at 138 locations and it has published a Notice Of Data Breach on its website – http://www.cicis.com/news/data-notification-all – on Jul 18, 2016.
Cicis Pizza is a fast-casual restaurant chain based out of Texas. Cyber security experts had reported about the breach a month before it was confirmed by Cicis Pizza. The restaurant chain started receiving complaints from its outlets that the Point of Sales (POS) systems were not functioning normally. When Cicis Pizza tried to fix the issue they discovered POS malware infections in many of the POS software in the POS systems. The company then set out to fix this issue by taking the support of cybersecurity experts.
The experts discovered that a few intrusions had initiated as early as in 2015, and increased to high levels in Mar 2016. Cicis Pizza has published the list of restaurants where the POS systems had been infiltrated. Customer’s who had visited these outlets have been advised to check their accounts for any fraudulent activity and also change their passwords/ pins immediately. If any fraudulent activity has taken place then it should be reported to the concerned authorities. Prompt reporting makes the cardholder not responsible for any fraudulent transactions that may have taken place during that period.
Personal information of customers, payment card data (credit card data) could have been compromised. Cicis Pizza has been forthright about the issue and has expressed its regrets over the event.
How did the hacker breach in?
Cyber security specialists report that the hackers had sent phishing/ spear phishing mails to employees of Cicis Pizza. Some of them of had got tricked and believing them to be authentic emails had got the system infected. The POS malware was designed to steal payment card data. The malware, which was a remote administration tool, was also able to steal communication between the employees.
The infiltrated malware seems to have been used as part of a POS botnet that stole customer information in real time. This captured data can be sold by the thieves. The stolen card data can be encoded on to blank magnetic stripe cards, and these cards can be used for purchasing goods.
Ensuring POS security
Businesses such as Cicis Pizza must take adequate precautions to protect sensitive customer data. They must educate employees about phishing and spear phishing emails, and ways to identify fraudulent behavior. Further, the POS terminals must be protected against POS malware with robust endpoint antivirus solutions to ensure POS security.