The pizza is one of the more iconic foods in this culture. Consumers have positive thoughts with regard to indulging in the meal. What is not welcomed is the occasional issue with the credit card system. This unfortunately occurred with the Ci Ci’s recent breach. There were over 130 locations affected (Bisson, 2016; Pleasant, 2016; Kan, 2016; Copeland, 2016). Specifically there were problems noted with the POS system at these locations. The investigation started in March 2016 (Northrup, 2016). The noise regarding this issue was from several locations (Bisson, 2016) and curiously enough six financial institutions (NAFCU, 2016; Dissent, 2016).
The locations had found the POS systems appeared to be malfunctioning. This acted as the respective site’s red flag that something was not quite right. From the financial intermediary sources, they noticed the increase in fraud in their selected client accounts (NAFCU, 2016). As the numbers of feared cases began to increase, the affected parties researched the issue and contacted Ci Ci’s. The issue revolved around malware that had been placed on the affected systems. A third party was contracted to review the sites and re-mediated the issues. The sites affected were widespread. These were located in Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Maryland, Missouri, Mississippi, North Carolina, Ohio, Oklahoma, South Carolina, Tennessee, Virginia, and Wisconsin (Northrup, 2016).
This is not a new phenomenon. Other recent targets of this nefarious activity were Wendy’s, Dairy Queen, Buffalo Wild Wings, Taco Time, and Wingstop. These all together also were across different sized restaurants (national chains and local) and type of food.
This was noted as a problem in early March 2016 when the POS systems were not working well (Krebs, 2016). After it became readily apparent that there was an issue, more of an investigation ensued. There was indeed a breach of the POS system (Secureworld, 2016). The remainder of the sites were analyzed for the presence of malware by 403 Labs (Krebs, 2016). The vendor determined the breach was initiated in 2015, and the malware was active through the discovery date.
To gain unauthorized access, a group posed as technical support for Ci Ci’s POS provider, Datapoint (Able, 2016; Guard, 2016). After using the usual social engineering tactics, the attackers gained access and downloaded the malware (Krebs, 2016). Once the malware was on the system, the program was able to capture the credit card data per consumer. This data for the victim’s credit cards was then bundled together and sold to others. The purchasers would then place the data on credit card blanks, embossed these with the correct consumer information, and these were used to purchase higher end products.
“The tactic to best defend against an attack much like this is simply training, more training, and a healthy dose of thoughtfulness.”
There continues to be one focus of attack-the user. This continues to be a weak link. The attackers could have taken an abundance of time to perform a full hack of the system (enumeration, google hack, review potential system vulnerabilities, etc.). This may have taken much more time that what was necessary with this simple social engineering attack against a handful number of employees with access the attackers needed. The tactic to best defend against an attack much like this is simply training, more training, and a healthy dose of thoughtfulness.
At the National Cybersecurity Institute we provide resources, such as webinars to help our readers prepare for the cybersecurity challenges facing them today. We hosted a webinar on “Human Hacking; The Art of Social Engineering“. During this informational webinar we talked about the latest threats and solutions for organizations to defend themselves against the art of human manipulation.
Abel, R. (2016, June 9). Update: Possible POS breach at cici’s pizza. Retrieved from http://www.scmagazine.com/cicis-pizza-may-have-experienced-pos-breach-through-third-party/article/501245/
Bisson, D. (2016, July 20). Cici’s pizza suffers payment card breach at 130+ locations. Retrieved form http://www.tripwire.com/state-of-security/latest-security-news/cicis-pizza-suffers-payment-card-breach-at-130-locations/
Copeland, M. (2016, July 22). Credit card security breached at local cici’s restaurants. Retrieved from http://www.wacotrib.com/news/business/credit-card-security-breached-at-local-cicis-restaurants/article_c5729531-b48e-5c60-9c56-4db2c58a6575.html
Dissent. (2016, June 4). Banks: Credit card breach at cici’s pizza. Retrieved from https://www.databreaches.net/banks-credit-card-breach-at-Cici-s-pizza/
Guard, B. (2016, June). Suspected data breach at cicis pizza exposes customer payment cards. Retrieved from http://blog.billguard.com/2016/06/apparent-data-breach-cicis-pizza-exposes-customer-payment-cards/
Kan, M. (2016, July 20). Hackers have targeted 130 restaurants at cicis pizza chain. Retrieved from http://www.pcworld.com/article/3098167/hackers-have-targeted-130-restaurants-at-cicis-pizza-chain.html
Kreb, B. (2016, July 19). Cici’s pizza: Card breach at 130+ locations. Retrieved from https://krebsonsecurity.com/2016/07/cicis-pizza-card-breach-at-130-locations/
NAFCU. (2016). Cici’s pizza hit by data breach. Retrieved from https://www.nafcu.org/News/2016_News/June/Krebs_Cici_s_Pizza_hit_by_data_breach/
Northrup, L. (2016, July 20). Eat at cici’s pizza in the last year? Watch your credit card statements. Retrieved from https://consumerist.com/2016/07/20/eat-at-cicis-pizza-in-the-last-year-watch-your=credit-card-statements
Pleasant, R. (2016, July 20). Cici’s pizza data breach serves a slice of credit card theft. Retrieved from http://siliconangle.com/blog/2016/07/20/cicis-pizza-serves-a-slice-of-credit-card-theft/
Secureworld. (2016, July 21). Cici’s pizza suffers data breach: 17 states affected. Retrieved from http://www.secureworld.expo.com/cicis-pizza-suffers-data-breach-17-states-affected-0?utm_source=Copy+of+SW+Post+July+21%2C+2016&utm_compaign=SW+Post#3a+July+7%2C+2016&medium=em
About Charles Parker, II
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Mr. Parker has matriculated and attained the MBA, MSA, JD, LLM, and is in the final stage of the PhD in Information Assurance and Security (ABD) from Capella University. Mr. Parker’s areas of interest include cryptography, AV, and SCADA.