Popular fast-food chain Chick-Fil-A Inc. is investigating a payment card data breach affecting an unknown number of its U.S. locations, but early indications suggest many thousands of customer accounts may have been compromised.
First reported Tuesday evening by Krebs on Security, the Chick-Fil-A data breach may date back to December 2013.
Financial institutions told veteran security reporter Brian Krebs they first discovered a pattern of fraud in November, but a credit card association alert issued shortly before Christmas 2014 indicated the breach window may have stretched from Dec. 2, 2013, through Sept. 30, 2014.
While the credit card association declined to identify the retailer, a separate financial institution told Krebs that Chick-Fil-A was the only common point-of-purchase among the nearly 9,000 customer card accounts assigned to its customers and listed in the alert.
The financial firm also noted that 9,000 was higher than the number of compromised accounts that it experienced as a result of 2013's epic Target Corp. data breach, which involved the compromise of 40 million credit and debit cards, email addresses and telephone numbers of up to 70 million customers.
By comparison, Target's period of compromise lasted about three weeks and affected the majority of its 1,700 U.S. stores, suggesting that a Chick-Fil-A breach lasting 10 months and affecting an even smaller percentage of its 1,850 U.S. locations may be comparable in size and scale to the breaches at Target and Home Depot Inc.
In a statement to SearchSecurity, Chick-Fil-A said it recently received reports of what it called "potential unusual activity involving payment cards used at a few" of its restaurants.
"We take our obligation to protect customer information seriously, and we are working with leading IT security firms, law enforcement and our payment industry contacts to determine all of the facts," Chick-Fil-A said in the statement. "We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so.
"If the investigation reveals that a breach has occurred," the company added, "customers will not be liable for any fraudulent charges to their accounts. Any fraudulent charges will be the responsibility of either Chick-Fil-A or the bank that issued the card. If our customers are impacted, we will arrange for free identity protection services, including credit monitoring."
A source told Krebs that while the bulk of the fraud to date was tied to locations in Georgia, Maryland, Pennsylvania, Texas and Virginia, though Chick-Fil-A locations across the country have been affected.
The Chick-Fil-A data breach is the latest sign that restaurant chains represent an increasingly attractive target for attackers seeking to steal customer payment card data.
In October, International Dairy Queen Inc., operator of Dairy Queen and Orange Julius restaurants, confirmed that the infamous Backoff malware was behind the recent theft of payment card data at nearly 400 of its 4,500 U.S.-based locations.
A month earlier Illinois-based sandwich shop franchise Jimmy John's revealed that it had suffered a credit and debit card data breach at 216 of its locations.
Krebs noted that in both the Dairy Queen and Jimmy John's breaches, the affected locations had outsourced the management of their point-of-sale systems to third-party companies. Attackers were able to gain POS system access via the third parties and install point-of-sale malware to steal payment data.
Chester Wisniewski of Sophos details some of the threats point-of-sale environments are likely to face, and experts discuss general PoS security weaknesses.