Restaurant diners in the US Midwest and East might want to closely monitor their bank accounts, after four popular restaurant chains operating in those regions had their customers’ payment card information stolen.
Discovering that Joker’s Stash – a major underground online portal infamous for buying and selling stolen payment card data – had announced the availability of about four million cards, KrebsOnSecurity investigated the matter further and found that the information was stolen from the restaurant chains Krystal, Moe’s, McAlister’s Deli, and Schlotzsky’s.
Two anonymous industry sources which track payment card fraud confirmed the hack with KrebsOnSecurity. Notably, Krystal announced a data breach last month, while the other three are all part of the same parent company, Focus Brands, which disclosed breaches in August.
Gemini Advisory, a fraud intelligence company, further verified the cyberattacks and shared more details about the breaches.
“Gemini found that the four breached restaurants, ranked from most to least affected, were Krystal, Moe’s, McAlister’s and Schlotzsky’s,” the company said in a statement.
“Of the 1,750+ locations belonging to these restaurants, nearly 50% were breached and had customer payment card data exposed. These breached locations were concentrated in the central and eastern United States, with the highest exposure in Florida, Georgia, South Carolina, North Carolina, and Alabama.”
The breach was first announced on Joker’s Stash on November 11, and the black market bazaar published the data November 22, Gemini found. The security company believes that the card data was offered months after the breaches to avoid oversaturating the black market with too much stolen card data.