Restaurant Chain Working with Law Enforcement.
Atlanta-based fast-food chain Chick-fil-A says it is working with law enforcement and a leading IT security firm to investigate whether its point-of-sale network has been breached.
In a Dec. 30 statement, the chain says it has recently received reports of potential unusual activity involving payment cards used at a few of its restaurants.
“We want to assure our customers we are working hard to investigate these events and will share additional facts as we are able to do so,” Chick-fil-A states. “If the investigation reveals that a breach has occurred, customers will not be liable for any fraudulent charges to their accounts – any fraudulent charges will be the responsibility of either Chick-fil-A or the bank that issued the card. If our customers are impacted, we will arrange for free identity protection services, including credit monitoring.”
The news comes just one week after some card issuers and a security expert told Information Security Media Group they suspected a common link between suspicious activity and payment cards recently used at some Chick-fil-A locations.
One security source, who asked not to be named, told ISMG on Dec. 22 that MasterCard had issued a fraud alert on Dec. 19 about a merchant that may have been breached sometime between December 2013 and September of this year. Many issuers suspected the merchant to be Chick-fil-A or its payments processor, Charge Anywhere, which in early December confirmed a breach of its network linked to malware.
Neither Chick-fil-A nor MasterCard would comment about that alert, but the source who spoke with ISMG said the alleged compromise of Chick-fil-A appeared to be sporadic. One card issuer in the Northeast reportedly had more than 8,000 cards impacted, while other issuers had fewer than 10 cards affected, the source said.
“It could be a segment or set of franchises, because the number of compromised cards they received was pretty low and they would typically receive a lot more cards by now,” the source told ISMG on Dec. 23. “It’s really a wild card for now.”
One executive with a banking institution based in the Southeast, who also asked not to be named, says considerable fraud linked to Chick-fil-A first surfaced over the summer. But this executive says the fraud at Chick-fil-A is likely linked to a breach of the chain’s processor, Charge Anywhere, not a POS attack targeted solely at the fast-food chain.
“I have reviewed the list from MasterCard on the processor breach and it does include Chick-fil-A and Dairy Queen, plus numerous other merchants,” the executive says. “One of the merchants is a local fruit market that we have suspected since 2007, but were never able to prove. This tells me that this was a breach at the processor, Charge Anywhere, and probably goes back even further than they are saying. They have indicated 2009, but I suspect at least 2007. It is really difficult to pinpoint a common point of compromise when a processor is involved, but this list solves many old unsolved cases for us.”
In October, Dairy Queen confirmed a breach of its POS network that affected 395 of its 4,500 franchised U.S. locations.
Charge Anywhere confirmed earlier this month that its network had been compromised by malware, but the company reported that the breach only dated back to 2009.
On Dec. 30, a Charge Anywhere spokesman told ISMG: “We haven’t got much information about the investigation and the status of that investigation right now.”