Would You Like Some Pancakes With That Breach?
by lg0p89
Seemingly, a restaurant or restaurant chain would not be a high value target placed near the top of the target list, as they don't have or retain any Personally Identifiable Information (PII), e.g. name, Social Security Number, medical records, and other confidential data.
Curiously though, this industry has much the same data that others do, which is very sale-able. The primary data here for the attackers are the credit card numbers. These may be monetized in a few different ways which we have seen time and time again with bulk sales - or simply creating new physical credit cards via placing the data on the magnetic strip. One such restaurant that faced these difficulties in 2019 was Huddle House. Huddle House, headquartered in Atlanta, is a casual dining and fast food operation.
Attack
Huddle House was targeted for an attack which was very successful.
They released a statement on the malware infection.
The specific system breached was the Point of Sale (PoS) system,just like other retailers, which was infected with malware at various locations. The PoS system was a third-party's. The malware was coded to allow attackers to steal credit card information used by Huddle House's clients (name, credit or debit card number, expiration date, card holder verification number, and service code).
With this data, you could have a great shopping experience on someone else's dime.
Unfortunately, the variant of malware was not disclosed. This would have been very useful, not only for research purposes, but also for other businesses to learn from. This would include what to watch for, how it worked, etc.
The malware delivery system was interesting, as the attackers gained remote access by exploiting the third-party's assistance tools, allowing the third-party to deploy the malware. This was done throughout every Huddle House, and made it to an estimated 341 locations. With the malware being spread across all of these locations, the reach was extended every time a client used their credit or debit card.
This was noticed after a bit of time had lapsed. The infection span was from August 1, 2018 to February 1, 2019. In essence, anyone using their card for the seven months during the infection probably had their credit card information at risk.
Detected
Another interesting aspect to this is that Huddle House did not detect the malware.
They perceived no indication of any issue. This was detected by law enforcement and Huddle House's credit card processor. Seemingly, Huddle House would have noticed something in the logs.
Post-Attack
After the notification, the investigation began.
Initially, the business had no idea how many of their locations were involved or the number of customers affected. They contracted with a third-party forensics company and worked with law enforcement within 24 hours of becoming aware.
The business notification was for their clients to monitor their credit card statements and possibly call the credit card companies to request new cards. While this is helpful yet obvious, this still created work for their clients now and in the future.
Lessons (Not) Learned (Still)
The Huddle House story is much like most other breaches - there is nothing really exciting.
What does make this a bit more interesting is the attack itself. The old saying is you are only as strong as the weakest link. This continues to be the case.
When a business allows another organizations (third-parties) access to their network and/or data, the business is allowing not only the third-party into the network, but also the baggage and issues with their system, which come along for the ride. These likewise have full access to all that the third-party does, and much more.
There is a massive retailer with stores throughout the U.S. allowing third-parties access to their network. They are allowed to use this authorized access to upload invoices or various other functions. As they connect and log in, any infection they have may be shared with that system.
This is the issue facing cybersecurity and supply chain management.
While the business certainly has some level of transparency into their network, in general this is not prevalent with third-parties. Gaining access to cybersecurity data for the third-parties is difficult, as this is new ground for the vendors and, naturally, they don't want to tell others of their vulnerabilities for fear this information could be accessed by unauthorized parties and exploited.
The System and Organization Controls (SOC) report (along with other reports) shows at a certain day and time what their vulnerable points were. This in the wrong hands could create a large issue.
As time passes and these requests become greater in number and frequency, the attitude will slowly change. Until then, start and continue to ask for these and put them in your contracts. The business and the third-party vendors have to understand this is a vulnerability attack point. If everyone continues keeping their heads in the sand hoping all will be well, all won't be well. Just ask the national retailer whose HVAC vendor introduced malware into their system which breached the PoS system just before the largest sales period of the year.
Also, it is notable that Huddle House had no idea there was a problem until they received the call.
If an estimated 341 sites are affected and the credit card data is being sent to the command and control servers in small or large blocks of data, it would seem that the cybersecurity team would have been able to look at the logs and notice the activity due either to the amount of data or frequency.
Granted, the data logs can be large, however, that's why they sell Security Information and Event Management (SIEM) systems.
A program can also be coded to parse through this looking for trends.
Resources
Huddle House Fast Food Chain Suffers Data Breach in POS System
Restaurant Chain Announces Data Breach
Important Security and Personal Data Protection Notification
Huddle House Suffers POS Malware Breach
Huddle House Restaurant Chain Suffers POS Malware Breach
Huddle House Announces Security Breach, POS System is Affected