An American restaurant chain revealed it suffered a data breach affecting customers’ payment card details at most of its locations.
On 22 June, PDQ issued a statement explaining that a malicious attacker obtained unauthorized access to its computer system and acquired the names, credit card numbers, expiration dates and cardholder verification value (CVV) of some of its customers.
The restaurant chain first learned that some customers’ information might have been compromised on 8 June. It launched an investigation into the matter shortly thereafter and thereby determined that the period of unauthorized access lasted from 19 May 2017 to 20 April 2018. During that span of time, attackers made off with customers’ information used at all but three of the company’s locations.
PDQ wasn’t able to pinpoint an exact number of payment cards that the attackers might have exposed. For that reason, it urged customers who used a payment card at one of its affected locations during the breach period to monitor their credit reports and bank statements carefully. The restaurant chain also clarified what actions it’s taken since discovering the unauthorized access to its systems:
Caring for our customers is a top priority, and once we suspected a possible breach, we acted immediately to address the situation and stop the breach. We initiated an investigation and engaged a cybersecurity firm that conducted a comprehensive forensic review of the attack. We reported the breach to law enforcement and continue to work with authorities and state regulators. We have taken steps to further strengthen the security of our systems to help prevent this type of incident from happening again.
As of this writing, PDQ has traced the breach back to “an outside technology vendor’s remote connection tool.” This type of attack vector highlights the importance of organizations reviewing the digital security risks lurking in their supply chain.