Now present in 41 states, Dickey’s Barbecue Pit (frequently abbreviated as Dickey’s BBQ) is the fastest-growing BBQ chain in the United States and has experienced substantial growth in recent years. Unfortunately, it also spent the past year experiencing a massive data breach that it appears to have been completely unaware of. Since about mid-2019, about three million credit card data were siphoned off from over 150 of the chain’s locations and are currently up for sale on dark web marketplace, Joker’s Stash. The hacker selling them is advertising a “valid rate” of 90 to 100%, indicating that Dickey’s has only just become aware of the breach.
Dickey’s customer credit card information for sale on Joker’s Stash
The breach was reported by security researcher Brian Krebs, covering a new Joker’s Stash offering called “BlazingSun” that appeared last week. The data breach advertised three million credit cards from 35 states, promising that at least 90% of them were functional. While the Joker’s Stash advertisement did not specifically name Dickey’s BBQ, a preliminary investigation by card-issuing institutions traced the data breach back to the chain. Miami security firms Gemini Advisory and Q6 Cyber also contributed to the investigation.
Dickey’s BBQ locations are individually-owned franchises, which have freedom to determine what point-of-sale (POS) systems they will implement. Given this, it is assumed that the data breach was caused by a third-party payment processor that is commonly used by franchisees. No responsible party has been named as of yet, but the highest amount of credit card exposure appears to have been in California (where Dickey’s has 66 locations, the second-largest number outside of its native Texas) and Arizona (24 locations, the third-largest). The Joker’s Stash ad also said that “some” of the card numbers originate from Europe and Asia, likely obtained from tourists visiting the United States who stopped at a compromised Dickey’s.
The numbers of compromised credit cards are eye-popping: three million across some 156 Dickey’s locations in 30 states. But perhaps the most concerning factor is the length of the data breach; security researchers believe it went unnoticed from May 2019 to September 2020, and was only discovered because of the public offering made on the Joker’s Stash forum. Gemini reports that there was a smattering of compromised locations across nearly every state that Dickey’s is present in; surprisingly, only three of the 123 locations in Texas were breached.
Dickey’s issued the following statement about the data breach: “We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved.”
The Joker’s Stash incident is not the first cyber crime setback the chain has faced; in 2015 it was hit by the CryptoLocker ransomware, and opted to restore its internal network from backups instead of paying a $6,000 ransom.
Mag stripes overwhelmingly show up in data breaches
While there are still few details about the payment processor that was compromised and the exact nature of the data breach, Gemini is reporting that it was most likely a system that requires customers to swipe a magnetic stripe rather than using an embedded EMV chip. Krebs points out that a recent takedown of underground forum BriansClub, one of the main competitors of Joker’s Stash, found that about 97% of the stolen credit card data for sale there was gleaned from magnetic stripes. Though Visa and Mastercard have required retailers to implement EMV chip systems or face full responsibility for the losses associated with credit card data breaches since 2015, many are still using a magnetic stripe system.
The Joker’s Stash ad touted that the stolen credit card data contained both Track 1 and Track 2 information. In magnetic stripe systems, Track 1 contains the credit card’s critical financial details (such as the bank ID and account number) plus the holder’s full name. Track 2 contains much of the same information minus the cardholder’s name, and is used primarily with older dial-up verification systems. The inclusion of Track 1 information is particularly concerning as it pairs the card user’s name with quite a bit of their account information, giving attackers a foothold to attempt to impersonate them with their bank and potentially gain a higher level of access.
Saryu Nayyar, CEO at Gurucul, feels that the responsibility here is squarely on retailers that refuse to move on from payment systems that have been outdated for several years now: “The credit card dump of Dickey’s BBQ customers’ cards highlights a number of issues. The first is a lack of consistency and enforcement in POS terminal operations. The fact that we are still seeing mag-stripe based data, when chipped cards have been ubiquitous for years, indicates that many retailers have not taken card security seriously. The second issue is the apparent fact that this breach was ongoing for more than a year. Organizations need to do more, and quickly, to prevent this kind of theft. They need to deploy the latest POS equipment, even at small franchise locations, and have an up to date security stack, including behavioral analytics, that can detect a breach long before three million customer credit card numbers wind up for sale on the dark web. This was most likely entirely preventable.”
Warren Poschman, senior solutions architect with data security specialists comforte AG, highlighted the greatly increased cyber crime during the pandemic and pointed out that threat actors are looking for easy vulnerabilities just like these outdated magnetic stripe systems: “As the breach at Dickey’s BBQ reminds us, there is still plenty of meat left on the bone of credit card fraud despite the dramatic shift in coverage to privacy and identity theft. With COVID-19 pushing businesses in the fast casual restaurant segment to the brink, attackers are taking advantage of lax security while many are in survival mode. Regardless of the ill timing, organizations need to ensure that every step in the payment cycle is secured from acquisition to settlement. For merchants in the store, this means requiring the use of secure connections from the payment entry device to the backend using point-to-point encryption and tokenization to remove cardholder data from these vulnerable systems. For backend payment processors and the merchants that outsource to them, this means without exception tokenizing all data, both payment and personal, to ensure that any breach or leak of data will not result in exposure.”
While there is still no federal data privacy law in the United States, Dickey’s will likely face substantial fines under the California Consumer Privacy Act (CCPA) given that the bulk of the activity was in that state. EMV compliance is mostly enforced by industry standards rather than government regulation, but the major credit card companies have made clear that any successful class action lawsuits will leave the merchants bearing the full cost if magnetic stripes are linked to a breach.